Using a 'Defense In Depth' Strategy to Protect your Corporate Network (Part 1)
Let's face it the days of having your network exposed to the world without danger are now long gone. If you want your company to stay on the road to profitability, you, as the corporate IT resource, will need to make it see the advantages of implementing an effective security architecture in order to protect its assets.
My definition of an effective security architecture will most likely seem excessive upon first glance, but with the fast-paced evolution of both online and offline threats, corporations must always be prepared for the worst. This first post in a series of many will introduce you to the concept of "defense in depth" and will also list some of the key components required to apply that concept to your environment.
First of all, a "defense in depth" architecture is exactly what it implies: a security system composed of multiple layers of protection which completely surround an IT environment. Each layer of defense is there to support the previous one in case it is breached. Not only does this prevent attacks against mission-critical systems but it also gives organizations time to react in case someone does breech their network.
Let's start this series by listings the first 2 components, the front-line soldiers, of our "ideal" security system.
The firewall is the first line of defense against bad guys that come from the perimeter -- in most cases, the Internet. They are mainly designed to prevent unauthorized communications from happening between different sections of a computer network. Firewall rules must be thought out very carefully before entering into production. Usually, conscientious administrators will configure their firewalls to deny all connections to all ports by default. After this, they will slowly start to open required ports one by one until the desired configuration has been achieved.
Additional reads and ressources:
- Wikipedia listing for firewall
- Introduction to firewalls
- How stuff works: Firewalls
- Evolution of the firewall industry
Intrusion prevention systems (IPS) /Intrusion detection system (IDS)
IPS/IDS systems are software or hardware based solutions that constantly scan a network for suspicious activity. If they detect anything abnormal happening they will try to intervene (IPS) or report the situation to the administrator (IDS). Many of you probably believe that an IPS is better then an IDS, yet this is not always the case. IPS devices are often prone to detect false positive events, especially those that attempt to detect rogue traffic using heuristics. In the case of false positive detections, IPSs usually try to stop any suspicious events dead in their tracks, often preventing perfectly good requests from happening. This is not a particularly practical solution if it happens too often. If you want to have a look at a very good IDS that is free and runs both on Linux and Windows, you should definitely take a look at Snort.
Additional reads and ressources:
- Wikipedia listing for IDS and IPS
- SANS Institute IDS FAQ
- The role of IDSs (PDF)
- Intrusion Prevention Systems: the Next Step in the Evolution of IDS
- Anatomy of an Intrusion Prevention System
- Snort IDS
In the second part of this article, I will continue writing about some of the other components that are a part of our defense in depth architecture. Until then, please stay tuned and be sure you don't miss anything by subscribing to our feed!