Security Laboratory

Security Laboratory

Security Laboratory: Defense In Depth Series

Other Related Articles in Security Laboratory: Defense In Depth Series


Protected Enclaves Defense-in-Depth


By Stephen Northcutt


Protected enclaves simply means subdividing the internal network so that it is not one large zone with no internal protections. This architectural approach to information security defense-in-depth can be accomplished in a number of ways including:

  • Network Admissions Control - Where a client (supplicant) must pass muster with the networks policy server before being able to connect to resources on the network.[1]
  • Internal firewalls - Use of firewalls is to enforce a security policy between departments and business units, in very large organizations, or between the "core" organization and its acquisitions, divestitures and joint ventures. The primary reason to use firewalls in this manner is to isolate or compartmentalize groups and the sensitive data they handle from ... well, everyone else![2]
  • Internal firewalls at the host level - These can be software based (personal firewalls) or hardware based such as the 3Com embedded firewalls and policy server that are host-based, hardware-embedded firewalls for desktops, servers and notebooks. These firewalls help to protect individual systems inside or outside the perimeter, wherever an additional layer of security is needed.[3]
  • VLANS - Though many argue VLANS should not be used to enforce security[4], the simple truth is you have to pass through an Access Control List to travel from one VLAN to another.[5][6] Since you have already paid for the switch, seriously consider taking advantage of the tool to help lock down your network.
  • VPNs - Not only do they give you confidentiality, but they also enforce policy that only hosts authorized to connect to other hosts can do so. This could be very helpful in a worm outbreak.[7]

The application for a computer security manager is pretty simple. Though there is some operational configuration overhead, these architectural approaches do not need to add a substantial amount of cost, and they buy you a lot of security. The biggest potential gotcha is that they can reduce throughput and or add latency. Test thoroughly in a lab environment before procurement and deployment. All of this information is covered in detail in SANS Perimeter Protection In-Depth.[8]

1. http://www.sans.edu/resources/musings/ciscobook.php
2. http://www.corecom.com/external/livesecurity/firewallplace.html
3. http://www.3com.com/en_US/jump_page/embedded_firewall.html
4. https://honor.icsalabs.com/pipermail/firewall-wizards/2004-December/017670.html
5. http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a00800ddcfb.html#wp1050355
6.
http://www.sans.org/resources/perlscript.php
7. http://www1.tools.ietf.org/wg/tsvwg/draft-ietf-tsvwg-vpn-signaled-preemption/draft-ietf-tsvwg-vpn-signaled-preemption-02-from-01.diff.html
8. http://www.sans.org/training/description.php?tid=422