In response to increasingly sophisticated malicious actors and malware strands, the layered security strategy became rather fashionable in the not-too-distant-past, and now has become firmly ingrained as a best practice for securing enterprise networks throughout the industry. From an intuitive perspective, it seemed that deploying multiple security devices within a network, each with its own defense vector, offered a kind of redundancy with respect to network defense that seemed to make sense on several different levels.
These results alone indicate that deploying endpoint protection in and of itself is an insufficient security approach without being paired with some sort of inline security device.
For example, if an organization deployed a firewall, intrusion prevention system (IPS) and end-point-protection (EPP) system, it was believed that together those products could provide far greater protection through a mix of different capabilities: At the network exterior, the firewall examines incoming packets for bad URLs, IP addresses and other such indicators that can be easily verified in an access control list. Behind the firewall, the IPS examines the content and header information of each packet that was allowed through the firewall, and if any of the packet contents are deemed malicious in accordance with the IPS' list of signatures, the packet is then dropped or blocked. Finally, the EPP system resides on each endpoint device on the network, serving as a last line of defense against any malicious code that may have slipped through the firewall and IPS.
At each point in a given packet's traversal through a network, an increasingly invasive examination is performed in an effort to secure the network, with security administrators everywhere taking comfort in the idea that only the most sophisticated malicious code can successfully penetrate several layers of security devices. However, a report released by the independent security testers at NSS Labs casts doubt on the belief that deploying a layered security approach always increases enterprise network security.
As part of its report on exploit detection failures, NSS Labs decided to test 37 different security devices, including firewalls, next-generation firewalls (NGFWs), and IPS and EPP devices from 24 security vendors against 1,711 known exploits. The chosen exploits were known to affect more than 200 different software vendors, including products from Microsoft, Apple Inc. and Cisco Systems Inc. NSS Labs tested the devices in a variety of different combinations in order to determine which pairings were best at detecting the exploits. The results provide an interesting take on the potential failures of a layered security strategy.
Of the 606 different combinations tested, only 19 successfully blocked all exploitation attempts; notably, no device tested individually was able to block all of the exploitations. As for which products worked best together, NSS Labs found that NGFW and IPS combinations were far more effective at blocking known exploits than any combination of EPP systems. For example, the average block failure rate of any NGFW-IPS combination was approximately 0.8%, while the average block failure rate of any EPP combination was an astounding 26%. These results alone indicate that deploying endpoint protection in and of itself is an insufficient security approach without being paired with some sort of inline security device.
So, how should organizations that have taken, or were planning to take, the layered security approach react to this report? First, a significant amount of attention should be paid to the specifics of the report. For example, it should be noted that no security device by itself was able to detect all Microsoft-related exploits directed at it. Microsoft-centric organizations should be cognizant of this fact when deciding which security device combos to deploy.
The report provides plenty of details on how the various combinations performed; I recommend at a minimum reading through the report and taking note of the performance of the products or vendors your organization uses. An apples-to-apples comparison may not be appropriate, but the data may highlight ways in which your products could be underperforming, and how combining them with other technologies could improve your layered security. For instance, one particular combo -- the Sourcefire 3D8250 IPS and Stonesoft 1301 NGFWs -- stood out for me because of how well it appears to have held up during testing. Still, certain products that will work well for one organization won't necessarily be a good fit for another.
From the editors
A layered security strategy obviously depends, in part, on the security products that make up the layers. SearchSecurity.com expert Brad Casey has more advice that can help your organization decide which products to pursue, including a look at which management features are important for NGFWs and details on how an IPS device can help prevent advanced persistent threats.
To that end, each organization considering or employing a layered security approach should ideally conduct its own testing in accordance with NSS Labs methodology, taking into account its own threat profile and security requirements. This will provide result sets specifically tailored to each organization, and hopefully will produce a clearer picture as to which products will offer the best performance.
Ultimately, employing a layered security strategy with little to no regard for which appliance combinations are actually effective can lead to disastrous results. Despite the potential for failure, layered network security still offers as compelling an answer to the numerous questions being posed by attackers as any current approach does. To ensure better results from such a strategy, security administrators everywhere should thoroughly research different vendor appliance combinations before deploying them, and the above-mentioned NSS Labs report is a wise place to start such a process.
About the author:
Brad Casey holds a Master of Science degree in information assurance from the University of Texas at San Antonio, and has extensive experience in the areas of penetration testing, public key infrastructure, VoIP and network packet analysis. He is also knowledgeable in the areas of system administration, Active Directory and Windows Server 2008. He spent five years doing security assessment testing in the U.S. Air Force, and in his spare time, you can find him looking at Wireshark captures and playing with various Linux distros in VMs.
This was first published in November 2013