Defense In Depth

By | May 28, 2004

Perhaps the best way to visualize Defense in Depth as it relates to Information Security is to view the recent blockbuster movie: “The Two Towers”. When the antagonists approached the perimeter defenses at Helm’s Deep, they were first greeted by a volley of arrows.

As they approached closer, rocks and boiling oil was thrown on their heads. Then there was the actual wall to contend with. As they brought up siege ladders, they were thrust back with long poles. As they jumped on the tower ramparts they were engaged hand to hand. But despite of the defenses due to the perceived value attached to defeating Rohan, evil nearly prevailed.

As of late when one considers network and especially Internet security one might wonder if good will prevail in the real world. But while the unvigilant got hammered by SoBig.F and Blaster, we can rest assured that though internet functionality might be compromised, and we may not be able to see our bank account online, the data itself remains secure due to internal network defense in depth.

The Layers of Modern Network Security

While the bulk of the layers of network security occur inside the firewall, it is important to realize that most all data is on a network where virtually every other computer in the world has potential access.

At the most course level, routers and network devices can achieve some degree of protection by filtering IP address. Routers function at the Network layer in the TCP/IP protocol stack and can thus see the IP addressing information. The router achieves this functionality through the use of ACL or access control lists. This can block certain IP addresses or certain ports and thus control traffic flow.

The problem with this of course is that with the Web being an ever changing environment to stay current with the ACL’s quickly becomes a nightmare. But they can prevent things like your SQL database from being exposed on the Web.

The next thing to consider moving in from the Wild Wild Web is the firewall. This is a frequently discussed and often misunderstood aspect of defense in depth. Firewalls can protect the internal network from the internet or a more secure network from a less secure one. A firewall is one place where the nebulous concepts outlined in the organizations Security Policy is expressed in hardware and software. It controls what services are accessible, what IP addresses and ranges are accessible and what ports can be accessed.

The overall idea of the firewall is a choke point in the network where all traffice flows to is inspected and is potentially restricted. It is actually a type of gateway that can be a router, computer, authentication server, or a specialized hardware device. It monitors all traffic coming into and out of the network based on predetermined rules.

General Types of Firewalls

Technically firewalls are considered to be packet filtering, proxy firewalls or stateful firewalls.

Packet filtering firewalls are like packet filtering routers but with some differences in implementation. Basically they work using ACL’s at the network layer. This set up is very scaleable, high-performance and application independent, but offers relatively low security compared to the other choices.

A proxy firewall acts as a middleman between the two parties and decides whether or not the communication should be allowed. There is no direct connection between the two parties, and thus this setup shields internal network information from prying outside eyes. The proxy is the only machine with a visible IP address on the internet. The proxy makes a copy of each incoming packet, changes the source address and puts it on the wire to the destination address.

Proxy firewalls can be further divided into application level proxy firewalls and circuit level proxy firewalls. Application level proxies inspect the entire packet and make access decisions based on the header information and the content of the packet. They allow for a high level of security because they allow the greatest level of control, but they can be resource intensive and decrease network performance because of the computing involved.

Circuit level proxies make filtering decisions based on header information, IP addresses, ports, protocol type and protocol flags. They provide greater flexibility than application level proxies, but less security.

The most advanced type of firewall is the stateful firewall which keeps track of the actual communication process by use of a state table. It also follows connectionless protocols like UDP, and the state and context of the data in the packets are stored in the state table and updated continuously.

These different types of firewalls can be combined in layers and thus can add depth to an organizations information defense.

For example, traffic that comes in from the untrusted network is first filtered via packet filtering on the outer router. The traffic that makes it past this phase is then sent to the screened host firewall or bastion host system which applies more rules to the traffic and discards suspect packets. The traffic then is sent to an interior screening router. Only after this does the traffic move to the internal destination host. This type of DMZ setup is called a screened subnet configuration.

The common misconception is at this point the internal network is safe. This myth is probably encouraged by the booming firewall business. But there are several things to think about that dispel that myth.

First of all no matter what study is cited, all evidence points to the fact that a significant amount of intrusions come from hosts within the network. Firewalls often do little to protect against viruses downloaded through email. Also, they do not protected against rogue modem installations. And most importantly, a firewall is no substitute for informed admins and users.

No backup no recovery is an often repeated adage in Information Security. Valuable data is not only exposed to people with malicious intent, but also suffers loss from hardware failure, and user oversight as well as acts of nature. Redundant hardware addresses the issue of hardware failure and offsite storage the last issue.

Access controls keep important organizational data from being accessed inappropriately. Public Key cryptography insures data confidentiality in storage. When used on the wire, it can adversely impact another important layer of defense, intrusion detection.

Intrusion detection can help determine whether an organization’s systems have been compromised. There are two basic types of IDS, host based and network based. Host based frequently comes out of the box with an OS like Windows Server 2003. It must be configured, and it should be centrally logged to save Admin time. Often these are set up on critical machines only like Domain Controllers or network storage servers.

Network based IDS’s can be Signature-Based or Behavior Based. Signature based IDS’s are based on the fact that attacks have certain patterns or signatures. Vendors do updates on this IDS’s similar to Antivirus software makers, when new attacks are discovered, they are added to the signature base. This type is also called rules based IDS. A model based approach looks for known procedures to breach a network like scanning certain ports. A State Based IDS looks for exchange of data between source and destination to look for malicious activity.

Behavior based IDS on the other hand compares current traffic to a reference of normal network behavior. The drawback is that this can produce false negatives.

Leave a Reply