Problem solve Get help with specific problems with your technologies, process and projects.

Is a 'self-defending network' possible?

Is there a product available that can be plugged into your network and allow you to rest easy? Mike Chapple explains what vendors may be suggesting when they tout a 'self-defending' network.

Certain vendors have long touted the benefits of what has been called the "self-defending network." Can a self-defending network really be possible, and if so, do I have to buy a certain vendor's products to have one?

The term "self-defending network" is clearly marketing hype promoted by a certain manufacturer of networking and...

security gear. If you're asking whether there's a product available that can be plugged into your network and allow you to rest easy, the answer is an unqualified "absolutely not." No matter what network devices you choose, there is simply no substitute for the time and expertise of qualified security professionals.

That said, there is some benefit gained from choosing interoperable security products, which is what the "self-defending" expression may be suggesting. If you have an intrusion prevention system (IPS), security incident manager and network admission control (NAC) system that can recognize each other and even make use of each others' data, you can save a great deal of time that you'd normally spend correlating events from each system individually.

As with any marketing catchphrase, I'd urge you to take the term "self-defending network" with a grain of salt. Perhaps the idea would be more accurately termed as a "coordinated defense network." But I guess that wouldn't sell as many widgets.

More information:

This was last published in October 2007

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)



Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Snake oil... at least in the sense of a type of product.

The best self defending network strategy is default deny. No one will ever do it because 99.9% of people don't have the fortitude or knowledge to pull it off and do it well. Those that do are celebrities and you won't find them in the CISO position of any company. Even if they were they don't have the tools to do it right in a production environment. The tools simply don't exist.

They're also too busy giving talks at conferences decrying the terrible security of everything. No company could (or wants to) afford to hire them.

Security is simply not important enough to stock holders to do correctly. Ironically, long term, default deny is the most effective, easiest and least expensive way to be secure.

You just need a team of people that can do it effectively and most people don't consider developers (for example) to be an important part of a security organization, yet they're the ones who could make default deny manageable.


So self defending networks are very possible, but you can't buy a product that will make your network self defending. You need to design the entire thing that way from the ground up and have the necessary tools to manage it.

I'm currently developing some FOSS tools to make a default deny network manageable. Keep an eye out on sourceforge, keywords: default deny.

I've just set up my environment and am working on the tools now. First up is a white list based default deny proxy with a management application.

It's basically a default deny content filter.

Here's the use case:
User tries to access site.
Site isn't in white list.
Email automatically goes to user's manager.
Manager clicks link to get a preview of what the content is.
They approve it or deny it with 2 links available at top of preview.
Application uses their domain creds to validate them as the manager.
If they deny it goes into a blacklist so the manager won't get bothered again. (with an option to get a report of attempted access to blacklisted domains)
If they allow, the domain gets whitelisted and CISO gets a note so they can also examine it and look for threats. They'll have the option of blacklisting it if they find a threat.

This completely solves(for port 80,443,8080,etc):
phishing (at least within protected network)
drive bys due to links poisoned in legitimate sites which are comprimised
unwanted (and potentially hazardous) downloads in network
Spyware, viruses and malware, unless an approved software vendor is compromised.
Lookalike/mispelled domains
https tunneling proxies

Extrapolate default deny with good management tools to all perimeter devices, services running on the workstations, and enduser access, and hopefully you can see the value.

The best part of this is that it removes nearly all of the administrative burden from the CISO and distributes the load to middle management. If you write your security policy correctly you can make them responsible for the damage they cause if they allow something harmful. They'll be really cautious about what they allow their employees to do. Eventually they'll reach a state of near equilibrium where their employees have access to what they need to do their job, and nothing else.

Of course your managers need to be briefed and trained to recognize threats so they don't inadvertently allow them, however, if users know that everything they visit needs to be approved by a manager.... it greatly cuts down on internet play, at least for people that want to keep their job.