Updated: Aug 25
Defense in depth is the mechanism to safeguard your systems in different layers where if one layer gets compromised, it will not have effect on the other layers.
For organizations, to keep their security of networks and confidential data safe, defense in depth is a mechanism that can be used. There are lot of misconfigurations, software and application bugs, system overloads and disgruntled employees. To safeguard such issues and to keep the data safe without imposing any risk to the applications and the business, we need to implement defense in depth.
There are certain components of the defense in depth as part of the infrastructure that are deployed in the system in a way which accounts for the weaknesses and the strengths of the individual component.
In this report, we will discuss about the defense in depth as well as its components for the system infrastructure. In addition to this, the risks posed to the business security in the absence of one such component, if any, is also discussed below.
Defense in Depth
Defense in depth is the information assurance concept, which is also called as ‘Castle Approach’. This concept generally is used to protect and safeguard the information system from potential risks, theft and fraud. It is a multiple layer concept that provides security in multiple layers and defends the networks of the business organization. If one such layer gets malfunctioned, it will not have any adverse effect on other layers.
The multiple layers technique was found by NSA (National Security Agency), as a castle approach to the information security.
The main purpose of defense in depth is not to prevent the security breaches, but also stopping or limiting its reoccurrence in future by allowing some time to the organizations to detect any attack and to respond on it. Thus, it’s a double action defense where the present attack is defended with a shield for it to not to occur in future.
There are three types of control areas:
- Physical control - that is control through dogs, fences, CCTV and by limiting the access to IT systems.
- Technical controls- relates to biometrics, eye and voice readers, disk encryption and windows active directory.
- Administrative controls – relates to organization’s policies and procedures such as hiring practices, requirements for security and data handling procedures.
There are many components of defense in depth that are needed in system infrastructure and these components are discussed below:
List of Components
Following is the list of components used in ‘Defense in Depth’:
- Antivirus Software
- Anti-Spyware Programs
- Hierarchal passwords
- Intrusion Detection
- Biometric Verification
- Static Packet Filters
- IDS and IPS
Explanation of the Components
In this section, we’ll explain five components out of the list of components, as stated above:
Static Packet Filters:
Static packet filters are the border routers that filter the internal and the external traffic in the network. These SPF’s form the two layers in your defense system and i.e. the first incoming layer and the last outgoing layer. It blocks the traffic that contains viruses, mal functions and those which are not destined to enter the client’s network. Such filtering is referred to as ingress and egress filtering. Such kind of ingress and egress filtering spoof up the traffic and permits the traffic that is destined to enter the internal network and exit the external network. The traffic like SANS Top 20 Vulnerabilities list, ICMP and DDoS (Smurfs attack) is blocked with the help of Static Packet Filters.
Firewalls are of two types:
Stateful Firewalls is also a well-known layer for Defense in depth. It helps in blocking attempts at reconnaissance or the traffics from unknown, non-permitted and non-established connection. It is an important layer of defense in depth; owing to its ability to block reconnaissance attacks such as Nmap ACK scan.
Proxy firewalls are used as a complement to Stateful firewalls or an alternative to it. Proxy firewalls also blocks the traffic from unknown, non-permitted and non-established connections, but offers advanced security as compared to the Stateful Firewalls. In Proxy firewall, internal and external hosts never directly communicates with each other and filtering is done on the basis of protocol. So, the examination of the entire packet is done with regard to its compliance with the protocol as indicated by the destination port number. It ensures that no malicious activity and traffic will enter or exit the system, by letting only protocol compliant traffic to pass the network.
IDS and IPS
IDS serves as an Ear and Eye for the malicious attacks that surpasses the other defense layers. It is one of the trained defense components that work from the critical points in the network. So, if any malicious activity crosses the other defense layers, IDS is there to protect it from entering the network system. Typical IDS sensor directly connects network segment with the firewall and with the critical points. IDS also communicate about any kind of infringement being attempted along with blocking or barring it to enter the system.
If any machine is being infected by virus or worms, IDS with proper signature can help the other machines functioning by identifying the machines with the worms and isolating them quickly, in order to keep other machines functioning.
IPS is facility employed along with IDS that detects the attacks and also thwarts them.
VPN secures the communications in a server when logged on through the unprotected networks like internet. In today’s scenario, there is a tradition of work from home when employees log on to the office server from their personal network. VPN helps to protect any kind of communication on end to end basis. No one can monitor the traffic, no one can modify the traffic and if so, gets detected, and no one can log on without password verification, thus creating a trustworthy environment for the legitimate users. The communication is transferred from and to the trusted user only.
Anti-virus is the last in this list of discussion but not the least in importance. It is an additional layer of protection that put bars on the bad guys to peep into your system and monitor your activities. It is virus protections that functions a s an ‘Anti’ to the viruses, malpractices, worms and unauthorized check ins and traffics into the system. It is an added layer to the defense in depth. It is little bit costly but the cost is much lesser than the cost of the system damage due to the viruses contact. There are many Antivirus software’s available in the market. The question always lays which software to be chosen? The answer is to choose the software that suits best to your business and its capabilities.
Therefore these are the explanations to the five components out of many, forming different layers of the ’Defense in Depth’.
Risks Attributed to the missing of any of the above components
As mentioned earlier, the defense in depth is a multilayer protection against any malpractices, unauthorized traffics and viruses that can attack your information system. So, if any of the layers gets missed out, though it will not affect the other layers, but, it may pose risk towards the protection against such malpractices. In this section, we’ll discuss about such risks one by one associated with the missing of above explained components:
Risk posed by Static Packet Filters:
Static packet filters are the routers that manage the incoming and outgoing traffic and acts as a border security with the two layers, the top and the bottom one. If this layer is missing from the defense in depth, the scrutiny of the incoming and outgoing traffic will get weaken. Though there are other layers that can provide the protection, but the intensity of it will get weaken. The routers are the most important one and act as the border security force that consists of the first barrier to the mal-traffic. And if the first barrier gets missed out, it will be easy for the bad guys to peep into your data easily.
Risk posed by Firewalls:
Firewalls are one of the most important layers in the defense in depth. Firewalls protect against the reconnaissance and block it. They also facilitate no direct communication between the hosts and perform their task by considering protocol as indicated by the destination port number. If Firewalls gets missed out, the reconnaissance would be hard to get blocked as well as there would be direct communication between the hosts, thus posing more threat to system vulnerability.
Risk Posed by IDS and IPS:
IDS and IPS are the ear and eye for the malfunctions and practices. IDS work from the critical points and even identify the bad attacks and worms, thus protecting the other machines to get infected. IPS works as an additional protection that not only identifies the attack, but also thwarts it. So, if IDS and IPS gets missed out, nothing could be watched out from the critical points. Also, if one system will get infected, it will be nearly impossible to save the other machines without IDS and IPS.
Risk posed by VPN:
VPN, as already discussed, helps to protect the user server from any attack and monitoring, when a user gets logged in to the server from its personal network such as internet. It enables the safe communication between the users on the same server as nobody could monitor and modify the acts without being detected. If this layer gets missed out, the servers would no longer be trustworthy and the important data and communication of the business could get leaked and infringed.
Risk posed by Antivirus:
Antivirus is the extra layer in the network and systems security. Without antivirus, the blocking of viruses, worms and other mal practices could be a challenge. A system or a network without Antivirus is less immune and targeted by the viruses.
Therefore, these are the risks associated with the missing of the above components of ‘Defense in Depth’.
Defense in depth is a multilayer protection of the network and information systems against any mal practices, viruses and attacks. Its different layers and components gives the full proof security against such mal practices, keeping the data and the critical information of the company intact and secured. The best part is that if one layer gets missed or infringed, the other layers, being unaffected keeps the system safe and secure. There are many components in defense in depth as discussed above like, firewalls, antivirus, IDS, VPN, Static packet filters etc. that provides multilayer protection against infringement, vulnerability and mal practices.
What is defense in depth? - Definition from WhatIs.com. (n.d.). Retrieved February 04, 2017, from http://searchsecurity.techtarget.com/definition/defense-in-depth
Informit. (n.d.). Retrieved February 04, 2017, from http://www.informit.com/articles/article.aspx?p=376256&seqNum=2
Defense in Depth: A Layered Approach to Network Security. (n.d.). Retrieved February 04, 2017, from http://www.securitymagazine.com/articles/85788-defense-in-depth-a-layered-approach-to-network-security
Managing Network Security. (2003). Network Perimeter Security. doi:10.1201/9780203508046.ch2 < https://www.sans.org/reading-room/whitepapers/infosec/information-security-managing-risk-defense-in-depth-1224>
Hynes, B (2014). Anti-Virus and the Layered Defense Approach: What You Need to Know For True Full End-Point Protection. Whitepaper, Farconics. < http://www.faronics.com/assets/AVWhitepaper.pdf>