1. Defense-in-Depth What Is It?
Peter Leight and Richard Hammer
August 2006

2. What is Defense-in-Depth?
There is no “silver bullet” when it comes to network security
Any layer of protection might fail
Multiple levels of protection
must be deployed
Measures must be across
a wide range of controls
(preventive and detective
measures)

3. Focus of Security is Risk
Security deals with managing risk to your critical assets
Security is basically an exercise in loss reduction
Impossible to totally eliminate risk, we settle for residual risk
Risk is the probability of a threat crossing or touching a vulnerability
Risk is managed by utilizing defense-in-depth (DiD)
Risk = threat x vulnerabilities

4. Key Focus of Risk Confidentiality / Disclosure Integrity / Alteration
Availability / Destruction
Confidentiality
Integrity
Availability

5. Prioritizing CIA
While all three areas of CIA are important to an organization, there is always one area that is more critical than others
Confidentiality
Health Care Organizations
Hospitals
Integrity
Financial Institutions
Banks
Availability
E-commerce based organizations
Online banking

6. What is a Threat? Possible danger
Protect against the ones that are most likely or most worrisome based on:
Intellectual property
Validated data
Business goals
Past history
Main point of exposure
Malware
Insider
5 Primary
Threats
Health Epidemic
Terrorism
Natural
Disasters

7. Vulnerabilities Weaknesses in a system
Vulnerabilities are inherent in complex systems, they will always be present
The majority of vulnerabilities are the result of poor coding practices
Lack of error checking
Vulnerabilities are the gateway by which threats are manifested
Vulnerabilities fall into two categories:
Known, those you can protect against
Unknown or “zero day”

8. Approaches to DiD
Deploy measures to reduce, eliminate or transfer risk
Five basic approaches
uniform protection
protected enclaves
information centric
threat vector analysis
role-based access control

9. Uniform Protection - DiD
Most common approach to Defense-in-Depth
Firewall, VPN, Intrusion Detection, Anti-virus etc
All parts of the organization receive equal protection
Particularly vulnerable to malicious insider attacks

10. Protected Enclaves DiD
Work groups that require additional protection are segmented from the rest of the internal organization
Restricting access to critical segments
DOE “unclean” network
System of VPNs
Internal Firewalls
VLANs and ACLs

11. Information Centric Defense-in-Depth
Identify critical assets and provide layered protection
Data is accessed by applications
Applications reside on hosts
Hosts operate on networks
Network
Host
Application
Info

12. Vector Oriented DiD
The threat requires a vector to cross the vulnerability
Stop the ability of the threat to use the vector
USB Thumb Drives – Disable USB
Floppy Drives – Disable
Auto Answer Modems – Digital phone PBX

13. Role-Based Access Control
People identified by their roles
Data is accessed by roles not people
People can have more than one role
More than one role can access the same data

14. Identity, Authentication, Authorization & Accountability
Identity is who you claim to be
Authentication is a process by which you prove you are who you say you are:
Something you know
Something you have
Something you are
Some place you are
Authorization is determining what someone has access to or is allowed to do, after they have been properly authenticated
Accountability deals with knowing who did what and when

15. Controlling Access Least Privilege Need to Know Separation of Duties
Give someone the least amount of access they need to do their job
Need to Know
Only give them the access when they need it and take it away when it is no longer required
Separation of Duties
Break critical tasks across multiple people to limit your points of exposure
Rotation of Duties
Change jobs on a regular basis to prevent anyone from being able to get comfortable in a position and be able to cover their tracks