Republished with permission from WatchGuard Technologies, Inc. Originally published April 2, 2001.


Defense in Depth

by FredAvolio, Avolio Consulting, Inc.

Often people who discuss network defense mechanisms, such as firewalls, express how much easier and more dependable a perimeter defense can be compared to host-based defenses. This is true, when discussing the front lines. But complete network security goes beyond the perimeter. It requires multiple defense mechanisms and multiple deployment sites.

Often,when we talk about firewall deployment, we are talking about defense on a plane. We use a drawing that shows: the Internet; our network; a firewall in between; and a red brick wall encircling that inside network. It is all very flat. It's two dimensional, because the diagram typically shows a single type of defense (a firewall) creating one layer that you are either inside of our outside of. The picture communicates basic concepts fine, but we don't really have a brick wall. Our defense is full of holes; potential points of vulnerability. Sometimes vulnerabilities exist not because of bugs in software, but because of the things we allow through the firewall in order to support the business' Internet requirements.  

Of course, a firewall is necessary -- but it is not sufficient. A firewall alone cannot defend against computer viruses any more than antivirus software can defend against Denial of Service attacks. And neither a firewall nor antivirus software even notices, let alone defends against, a bad guy on the inside of the network security perimeter. This complexity means we must move beyond our flat, 2-D security model.

Thinking in 3-D

Defense in depth simply means using multiple controls to implement a more complete security posture. Multiple controls can be broken down into areas such as:

  • administrative (for example, policies and procedures)
  • technology (such as firewalls and antivirus software), and 
  • physical and environmental (locks, chains, and dogs).

  At this point it is appropriate to recall a couple of security axioms:

  1. There is no such thing as "complete security" in a usable system.

  2. Security is a chain that is only as strong as your weakest link.

About that first axiom: we knowwe're not striving for 100 percent security, because that would leave us with0 percent usability. Security and usability are inversely proportional. 

About that second axiom: we want toavoid weak links, wherever possible, and shore them up when avoidance is impossible. But that second axiom is the tricky one. It is a well-established truth of security. Everyone knows it.   Nevertheless,it could lead us to false conclusions.

For example, suppose we have a firewall. We screen for viruses at our e-mail gateway. Also, as recommended in my corporate e-mail policy piece, we strip off "dangerous" e-mail attachments including .exe, .scr, .pif and .vbs. We have antivirus software on the desktop, but only 50 percent of our desktops have up-to-date antivirus software. Obviously, the desktop antivirus software is our weakest link. So, we assume that there is a high probability that 50 percent of our desktops will be hit with an Internet virus. Right? Wrong. That's a simplistic application of  that second axiom.

While there are no controls that are 100 percent effective, we can approach 100 percent in practice by combining different controls. For example, if we physically locked up the computers and allowed no one to touch them, we'd approach 100 percent security. But usability would suffer dramatically. Likewise, we can disallow connection to the Internet, or deny all inbound and outbound services, with similar positive and negative results. The above simple example shows that, while we still have weakness on the desktop front, by combining different controls we are covered in that area by screening for known viruses at the gateway and by eliminating most of the vehicles for viral entry into the enterprise. 

So, to implement defense in depth we combine "synergistic controls," each, necessarily, of less than 100 percent effectiveness. Note we do not combine just any ol' controls, but synergisticones. "Synergy"is defined as, "the interaction of two or more agents or forces so that their combined effect is greater than the sum of their individual effects."  

So, we're not just stringing one firewall after another (although, we do get some benefit from that-we make the avenue of attack longer). We use administrative means (updating the virus database, for example, and periodically verifying the e-mail attachment stripping) and technology (the aforementioned mechanisms on the desktops and e-mail gateway). We also add policy and education that instructs people not to bring data on a removable disk from home, and we explain why. We could add physical means: confiscating notebook PCs as they enter the building. (Drastic, yes, but this is an example.)

Defense in depth is powerful. If I have a single security control that is only 50% effective, that sets the stage for disaster down the road. But if I line up two different controls in series, each only 50% effective, I get to 75% effectiveness (the first control catches half the bad stuff, leaving 50%; the second control catches half of that half, leaving only 25% of the bad stuff). If I line up five controls, each just 50%effective, I get to nearly 97% efficiency. To get over 99% we need 4 controls, each 70% effective. Here's a table of how it breaks down, provided courtesy of TruSecure Corporation:





































Wait a minute, you might think, Security isn't like this! It can't be measured so exactly. And what does"50%" or "100%" mean in this discussion anyway? Right you are. The point isn't the numbers so much as the concept. Defense in depth is strongest when we combine synergistic controls.

Practical Deployment

So, what does this mean to you? How do you proceed? If you've never gone through this exercise before, run through a quick breakdown of your concerns, vulnerabilities, and threats. It doesn't have to be 100 percent exhaustive, remember, but you want to try to get it accurate if not perfect. You map out servers, gateways, and desktops, and apply security measures that make sense and are synergistic.  

Do you have a firewall? Perhaps a Firebox II? Good. List all of the things it does and all of the things it cannot do. One obvious example: It cannot protect inside machines from a bad guy already inside. Now, you could buy 100 Fireboxes and put them in front of ally our important servers and internal subnets (WatchGuard would like that). But that's 2-D defense. In 3-D defense, you put firewalls in front of your most precious internal machines, but you also deploy network IDS systems to look for anomalous behavior. You examine your security logs for other anomalies. You fortify internal servers by checking them for vulnerabilities and tightening things that are loose. You fortify them with products such as WatchGuard ServerLock. And you could implement strong access control on the inside network so as to make it difficult for a bad guy to work any mischief undetected.

It doesn't take a genius to do this. It takes a pencil, some paper, knowledge of the technology solutions that exist, particulars about the vulnerabilities and threats, and a rough idea of the topology of your network.  

Never be satisfied with two dimensional thinking. Recognize the weakness in "single solution," "single countermeasure" defense schemes.   Defend your network and systems, but defend in depth. ##