The number and combination of different components used to secure today’s networks changes continuously as new threats and threat-mitigation techniques arise. The following list identifies some of the many components used for a defense in-depth strategy:
■ Security policy—An effective security policy is the centerpiece of any organization’s security implementation. As described in Chapter 1, “Network Security Essentials,” and Chapter 2,
“Attack Threats Defined and Detailed,” the security policy defines the who, what, when, where, why, and how of every aspect of an organization’s operations. Although many aspects are not defined in technical detail, the overall functionality is defined in the policy. All the following elements are merely the implementation of the security policy.
■ Use of authentication, authorization, and accounting (AAA)—The implementation of AAA helps ensure that only authorized users access resources necessary to perform their job functions.
Additionally, accounting and audit logs can be used to determine whether users are performing tasks that expose the network to unnecessary security risks.
■ VPN connectivity—VPN technology is normally considered to be a cost-saving measure because it allows organizations to interconnect offices across the Internet. The use of VPN tech-nology is not limited to the Internet and is normally determined by the organization, its business function, the type and value of its data, and the perceived threat. Many organizations that main-tain very sensitive data use VPN technology to secure dedicated circuits between their offices even though both endpoints are known. The use of VPN technology is a major cost-saving factor for many organizations because it enables them to get rid of expensive dedicated con-nections and securely interconnect their different offices across public networks. Another sig-nificant advantage is the ability to secure connections for remote users. With the increase in the availability of broadband Internet connectivity, many users are able to work from home using an encrypted connection to their corporate network.
Data Data can be intercepted and manipulated, but the data itself does not have any vulnerabilities. Normally attacks are launched to access specific data. When access is gained, that data may be copied, altered, or destroyed.
Management components
Because management components are used to manage the different network components, it is important to ensure that they are secured to prevent an attacker from gaining control of the entire network.
Table 3-2 Potential Targets (Continued) Target Description
■ Network segmentation—A jewelry store owner does not normally leave his most valuable merchandise in an unlocked cabinet in the front of the store. The best way to protect assets is to segregate them by their value and restrict access to specific users, groups, and so on. Network segmentation can be completed with firewalls, routers, and switches by the effective implemen-tation of access lists, VLANs, and address/port translation.
Assets that require specific access from a specific audience can be grouped together and placed on the same network segments. (For instance, all servers that host websites for public access should reside on a public DMZ segment, should be assigned public address space [non-RFC 1918], and should allow access from the Internet via the standard HTTP ports.) Assets that require limited access should be placed further within the network and can use RFC 1918 address-ing to prevent access from the Internet. Access to these assets can be restricted to specific sources and include the use of nonstandard ports by using Network Address Translation (NAT) and Port Address Translation (PAT). Figure 3-1 depicts a simplified version of network segmentation.
Figure 3-1 Network Segmentation
Internet
Data RFC1918 addressing is
used on all three special use DMZ segments.
R&D VLAN
The R&D VLAN is protected at the core switch and by
the installation of an additional IOS firewall.
IPSEC VPN connection between the internal network
and branch office.
1. RFC1918 addressing used on all internal network segments.
2. Network IDS placed at all critical points.
3. Host-based IDS and virus protection installed on critical systems.
Access to the Public DMZ is restricted to specific ports at
the firewall.
Overview of Defense in Depth 49
As Figure 3-1 illustrates, all network resources are segregated by type and value. Assets with a greater value to the organization are located further within the network and are, therefore, pro-tected at multiple layers within the network. The use of RFC 1918 addressing on the internal networks prevents attacks that originate from the Internet unless those segments are NAT’d at the network perimeter. Additionally, network intrusion detection systems (IDS) should be implemented liberally at all critical points of the network, and host-based IDS and virus protec-tion should be implemented on all hosts.
■ Dynamic perimeter security—It would not be wise to think that a statically configured fire-wall or router could protect your network against attacks in an environment that is as dynamic as today’s Internet. A statically configured device can only protect against known attacks.
Because technology continues to change at such a rapid pace, the challenge is to protect against the unknown. The most effective way to do this is through the effective use of firewalls/routers and IDS. This topic is discussed in greater detail in Chapter 16, “Intrusion Detection and the Cisco IOS Firewall.”
■ Host-based defense—The prelude to any host-based defense is for the host to be as secure as possible. The developers of operating systems and applications produce service packs and patches as soon as a vulnerability has been identified. To limit the number of vulnerabilities that can be exploited by an attacker, it is very important to ensure that all systems are up to the recommended patch level. If an attacker were able to penetrate multiple lines of defense to get to the target host, the attack would still be ineffective if the attacker were unable to access their target. Host-based IDS are installed between the operating system and the kernel and can detect and prevent unauthorized activity on the host system. Additionally, these systems normally generate an alarm to identify that the system is under attack. There are two different types of host-based IDS:
— Signature based—Signature-based IDS watch the system and match instruction sets with the signatures of known attack profiles.
— Anomaly based—Anomaly-based IDS require time to establish a baseline of approved activities. Any instruction that is not part of the approved baseline is considered to be an attack and is blocked. Of course, you can configure the anomaly-based IDS to perform specific functions when it encounters instructions that are not within the baseline instead of just blocking the instruction. The major advantage of anomaly-based IDS is that it enables you to protect against the known and unknown threat.
NOTE This access “from the Internet” does not include known hostile hosts and networks.
Known hostile entities are addresses that have performed reconnaissance or other attacks and are identified by firewall and IDS log correlation and trending. These addresses are normally blocked at the perimeter. Chapter 2 discussed motivations of the intruder. Some organizations will identify organizations that have an agenda contrary to their own as “hostile” and either monitor them very closely or block their access altogether.
■ Effective monitoring—Why do burglar alarms normally include a siren? So people will know that someone is trying to break in. Firewalls, routers, switches, IDS, and virtually every other piece of network equipment produce an incredible amount of log data. It is very important that critical systems are monitored to accurately determine the state of the network.
■ Correlation and trending—This is the next step in effective monitoring. Correlation and trending enable you to determine what is “normal.” By identifying what is normal, you can determine what is not normal and what you need to react to. Additionally, correlation products enable you to correlate data from multiple devices to get a better picture of the situation. This enables you to see the data from a possible attack from many different sources (firewall/router, IDS, and so on).
■ Effective security process—Remember that the process is the effective implementation of the policy. The process is ongoing and is the driving force behind the constant improvement of your security posture. The security wheel discussed in Chapter 1 depicts how potential threats are identified and mitigated as part of the ongoing evolution of the network. This ongoing process is discussed in Chapter 1 along with the security wheel, that includes four steps:
Step 1 Secure—Secure the network against all known vulnerabilities by implementing equipment, processes, and system configurations.
Step 2 Monitor and Respond—Monitor the network to ensure that the preceding changes have the desired result and respond to any adverse effects or newly discovered issues.
Step 3 Test—Test the network to verify that the components, processes, and configuration changes have secured the network.
Step 4 Manage/Improve—Continue to manage the network and implement improvements as necessary.
The use of defense in depth enables you to move from the old analogy of the network being a chain and only being as strong as the weakest link. Today’s networks should function more as vines that are constantly growing and improving. The vines are dynamic and can adapt to changing environments, which is exactly how a secure network should function. All the components of defense in depth are discussed in great detail in the Cisco “SAFE: A Security Blueprint for Enterprise Networks,” which can be found at http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_
solutions_package.html.
It is estimated that approximately 70 percent of network attacks originate from within the network.
This fact, and the relatively new threat of dynamic attacks, is the driving force behind the concept of multiple layers of defense. It is crucial to ensure that your core networks are adequately protected from all attacks without regard to the source of the attack.
Overview of Defense in Depth 51