Defense-in-depth describes the concept of protecting a computer network with a series of defense mechanisms organized in such a way that, if one of them fails, another one is available to take its place. This tip focuses on an example of a practical defense-in-depth deployment that uses existing technologies and explores how they can be tied together to comprise a comprehensive and effective enterprise network security architecture.
In order to demonstrate how to deploy defense-in-depth, let's consider the following scenario, which is a common enterprise IT setup. Many enterprises use third parties as infrastructure hosting providers, and they do so for a number of reasons. By using external hosting, enterprises are able to leverage either the traditional space or power model (also called colocation) in a physically secure environment at the hosting provider, while managing the system themselves, or they are able to purchase managed hosting services from the provider, which include network, system and security services. These environments are typically designed to host an enterprise's publicly accessible systems, which could range from mail or file transfer services for corporate users, to the enterprise's ecommerce platform.
As with either colocation or managed deployments, security plays an important part during the design of the environment. A typical approach to designing the security for such an environment starts with the network. For purposes of this discussion, let us assume the enterprise is hosting its ecommerce platform in this environment. The ecommerce platform (highly simplified for this discussion) consists of the Web tier that acts as the shopping cart or as a payment gateway for various transactions. This, in turn, is supported by the middleware (application servers) and database tiers. The design requires that each of the tiers be hosted on its own dedicated network, namely virtual local area networks or VLANs. This is typically accomplished by segmenting the tiers using a filtering device like a firewall with the Web servers on the low-security interface, while the middleware and database tiers are hosted in the high-security interface. The middleware and database tiers are not accessible from the public network directly. In some design scenarios, the middleware and database tiers are behind the same firewall interface but on separate VLANs. In such scenarios, there is no filtering of traffic between the two tiers unless enforced by the switches.
The firewall in this case acts as the primary -- and potentially only -- line of defense against Internet-based threats. We will use this environment as a baseline to implement a defense-in-depth strategy using existing security technologies.
I have taken a "kitchen sink" approach to implementing the security for the environment described above, with a view that each piece can be implemented independently of the others, depending on the particular requirements of each enterprise.
The initial piece of the defense-in-depth puzzle is enforced outside of the enterprise's environment in the provider's network infrastructure. This technology component is responsible for protecting the environment against distributed denial-of-service (DDoS) attacks. The DDoS attack-mitigation technology typically consists of two components: The first component is responsible for detecting an attack by monitoring for deviations in normal traffic flow, and the second component is responsible for mitigating the attack through learned traffic behavior (e.g., a threat management system, or TMS).
DDoS protection is achieved through near-instantaneous traffic diversion using the Border Gateway Protocol (BGP) from the core routing device to the DDoS cleaning center (TMS). The most effective DDoS mitigation is achieved in a provider's infrastructure (upstream), so that the risk of link saturation and increased bandwidth costs is reduced.
A firewall is effective at protecting against certain network threats, but, in hosted environments where certain ports are open to the Internet --HTTP (80/TCP) and HTTPS (443/TCP) -- its effectiveness is limited. In such an environment, it's a good idea to augment the firewall with a Web application firewall (WAF) appliance.
The WAF will primarily serve to protect the environment against application-specific attacks like cross-site scripting (XSS), SQL injection and parameter tampering, among many others. These devices are typically configured inline along the physical link between the firewall and the core network switches within the hosted environment. There, a WAF works as a bridging device with the ability to block traffic that matches known and learned attack vectors at the application layer. It also has the ability to fail open in the event of a hardware failure, thereby ensuring traffic continues to flow to the Web servers. Some WAF vendors also provide database monitoring and protection capabilities that handle threats to the database. Protection is enforced via the use of agents, which are installed on servers hosting the database instance.
As WAFs typically focus on attacks occurring at the application layer, their effectiveness at blocking network-centric attacks -- like Internet worms -- is limited. A WAF can be used in conjunction with an Intrusion Prevention System (IPS), the primary focus of which is signature-based mitigation at the network layer, to augment this deficiency. These devices are available as modules that can integrate with firewalls in an inline capacity where they block threats as they leave the firewall.
As we get closer to the server platform, protection against malware threats and monitoring of the file system becomes crucial to an effective defense-in-depth strategy. This can be achieved through the use of a combination of mainstream antivirus/antimalware products and content integrity monitoring systems (CIMS), which track and alert on file system changes in real time.
The glue tying all this together would be a centralized log management system (LMS), which serves as a repository for logs from these individual security components, in addition to functioning as a repository for the traditional server logs. An LMS also has the ability to generate real-time alerts on preconfigured event filters, in addition to providing a flexible search interface for log data from the various security components. Another family of products that has its roots in log management, called the security information and event management (SIEM) system, may also be used in place of LMS. SIEM extends the capabilities of LMS to provide intelligent threat analysis and threat-mitigation capabilities.
Putting it all together
As you can see, we have identified specific security technologies that can be used to protect each component of an enterprise's hosted environment, starting with DDoS mitigation in the provider's infrastructure, followed by firewall and IPS technologies for network protection, WAF for application layer protection, CIMS to protect the integrity of the file system, and, finally, the LMS, which serves as a repository for log information from the various security and server components. By practicing defense-in-depth, or implementing even a few of the components (e.g., LMS), your enterprise will go a long way to having a resilient security platform that provides real-time visibility into security threats.
About the author:
Anand Sastry is a Master Architect at Savvis Inc. Before joining Savvis, he worked for clients in several industries (large and mid-sized enterprises in financial, healthcare, retail and media) as a member of the security services group for a Big 4 consulting firm. He has experience in network and application penetration testing, security architecture design, wireless security, incident response and security engineering. He is currently involved with network and web application firewalls, network intrusion detection systems, malware analysis and distributed denial of service systems. He tweets at http://twitter.com/cptkaos.
This was first published in January 2011