How to use defense-in-depth to create an (almost) invulnerable computing environment

Q: From Anakin: "We are in the process of redesigning our IT environment (software and hardware) and are looking for a solution in which our systems will not be vulnerable to any type of threat from our Internet connection. The easy fix is to surround ourselves with expensive and complex layers of detection software and appliances. However, I feel as though there is a way we can design a system that is invulnerable in the first place. So far, we have included the following in our design: thin clients, ASP hosted apps, PC blades, streaming OS and apps, virtual PCs and servers, diskless Linux workstations, non-mainstream vendors, multiple system domains and user profiles, isolation servers, OS freeze type of products, etc. We've also come up with a number of possible strategies, but all have been flawed. I'm open to any "outside-of-the-box" creative solution. Our company has about 50 users and is currently running Win NT, MS Office 97 Pro, Exchange 5.5 and Outlook 98. Any suggestions?"

A: From bobkberg, "There's an answer, but you won't like it. It's called wire cutters. (*snip*) The overall consensus in the security community is defense-in-depth -- meaning multiple layers. Your best bet is to put everything through application-specific proxy servers and set up the following:

• No direct Internet access -- all through a proxy server
• E-mail gateway with antivirus
• Corporate, centrally controlled and downloaded antivirus
• Corporate patch control
• Validation at a MAC address level that a given machine is authorized and patched, etc., or it doesn't get on the network -- it's quarantined on a separate VLAN.


• Lock down Internet Explorer to the most paranoid level


• Disable Autoplay for CDs inserted


• Disable the ability to boot off of a floppy or a CD


• Perform regular checks for rogue wireless equipment


• Get a topology report from your phone company and check every line for modems."

A: From amigus, ...

1. Standardize your software set(s), preferably with a fairly new version of everything. The newer version of just about everything has more security built-in and you stand a better chance of being able to enable that security and effectively maintain it if you have a standard software set.


2. Hardening. There are books, webcasts, articles, etc. all over the Internet that teach you how to tweak OSes and applications so that they become immune to whole classes of attack. I can happily click on the latest IM-borne virus on my Windows XP box and it has no affect.


3. Disposable environments. The harsh reality is that you're probably not going to get your holy grail no matter how hard you try. You have to admit to yourself and management that no matter what you do there will always be attack vectors in your network. The trick is to plan for and optimize recovery. Build systems that can be rebuilt quickly and easily. Automate and regularly do workstation reinstalls for example.

A : From Dargandk, "For a safer computing environment, it all boils down to the approach you are taking. Here are few points which I consider are important:

1. Securing the perimeter is not the complete solution -- Secure your resources, your main servers, applications should be well protected, along with the perimeter solution. Within security design rely on multiple control design. Some of the controls should be in form of preventive controls, at the same time you have to consider mitigating and compensating controls.


2. Standardize -- If you want to build on a thin client environment or user-based machines (which I would recommend), make sure the configuration is based on standards and it is consistent. For example, hardware/software and application packs should be consistent.


3. Standards -- This time I am referring to industry standards, such as protocols and design. A deviation may be required if you have a strong business case. Otherwise, follow the KISS principle, keep it simple and straight and follow the standards.


4. Develop strong processes and practices which can be enforced through technology. -- This is the main requirement for continuing operations and the compliance issues."

A: From Tatworth, "There is a key phrase -- defense-in-depth. Besides the obvious antivirus, include antispyware in your standard build. Given your number of users, consider using SmoothWall Linux as your firewall (or outer firewall). Never boast about your invulnerability -- to do so would be to invite the hackers to attack."

A: From Erik, "All of you have provided good practical advice. I think, however, that you're missing something: risk assessment! To determine the problem, each person needs to identify their own critical information assets and their potential threats -- these could be physical, logical, external, internal, etc. Identify potential vulnerabilities and establish possible physical, administrative and logical/technical countermeasures as well as a definitive strategy to implement them. Remember, the biggest threat could be a lack of accountability or user management, a poorly maintained drain above the computer room, or even simply a door without locks. I do realize that this is not what the question is about; however, I think it it important for everyone to realize that this problem is not an IT issue -- it is an information security management issue."

This question and answer thread was originally posted in the ITKnowledge Exchange forum.

Join your peers today and start receiving valuable answers to your toughest information security questions. Or network with your peers to exchange technical advice and strategic ideas on security topics. Visit the ITKnowledge Exchange.