Techie Guru

Defense in Depth is a term that gets thrown around in the IT community a considerable about these days. It is not always clearly defined or explained, and may leave you with questions like those that follow. What is it? What does it cost? What impact would greater security have on my business? In this post, I will try to define what Defense is Depth is. I will tackle the other questions in additional posts.

Defined:

So, what is Defense in Depth? In a nutshell, it is a combination of security devices, software and education of end users (you and your employees). At its most basic, Defense in Depth involves a high grade firewall at the edge of your network, good anti-virus software (preferably centrally managed) on your servers and workstations, and education of the end user in safe email, internet and social networking practices. In a larger environment, there may be multiple firewalls that protect various branches of your network, as well as specialized Intrusion Prevention devices for monitoring potential points of access and and cutting off the attack before it begins in earnest.

Layer One:

The firewall that you place on your internet connection should have features such as Anti-Virus, Anti-Spyware, Intrusion Detection and Email Filtering built into it. You should also be able to define “zones” for additional security. For example, with Sonicwall and Watchguard firewalls, you can define separate a zones for your servers and place the desktops in another zone. This approach allows all data that passes from your workstations to your servers to be scanned for potentially damaging viruses and spyware. On the Sonicwall, you can also enable Intrusion Detection and Content Filtering to these zones as well as applying those filters BETWEEN the zones, again enhancing your security. As these devices are maturing, you are also able to block certain kinds of traffic that you may not want crossing your workplace network, such as the use of BitTorrent and video/music streaming.

Layer Two:

Next, you need a good anti-virus package installed on your servers and desktops. Ideally, this software will be centrally managed and able to alert you automatically if there is an infection on a system, virus definitions get to far out of date, or any other criteria that you specify. Central management alleviates the load on your internet connection for updating the client systems. Updates are downloaded to one server and then pushed to the clients, versus having every computer in your company going online to download updates and potentially choking your internet connection for a period of time. This central console also lets you define policies that you can push to the clients. You can manage exceptions, as well as block unwanted applications. A couple of example of good anti-virus software are Symantec Endpoint Protection and Avast Professional with the server component.

Layer Three:

Finally, there is the aspect of end user education. This involves learning and teaching the safe use of email systems, internet habits and social networking. In my experience, especially the last few years, the majority of viruses and spyware that I end up cleaning start with the user saying "I was just looking at something on Facebook, when…" or "I was just on Twitter and all of a sudden…". It may sound like I am advocating for the blocking of social networking sites, but the reality is that these sites are here to stay and becoming more a part of our businesses each and every day. What I advocate is education of our users. Teach them to recognize invalid links. Teach them to think about posting patterns. If the post from their friend "Bob" doesn’t look like it written by him, it is possible that "Bob" lost control of his account and a prankster created the post. The links in these kinds of posts can be anything from a benign advertisement to something that makes your account "like" the post, then automatically post to all your friends walls, sending them to sites with "questionable material", and in turn causing their computer to become infected with malware of one variety or another.

Additional Layers:

In some instances, additional layers of security and traffic inspection may be employed. This may be as simple as a packet sniffer looking for errant traffic, or a traffic recording device that records every bit of data that enters or exits the network. This traffic can be reviewed manually, or sent through a program that can report any traffic anomalies.

Conclusion Part 1:

Defense in Depth, implemented even at its most basic levels, will help to ensure the consistent computing experience of your organization and your users. Whether it is the basic three layers described above, or a more in depth implementation, Defense in Depth should be implemented in every organization. The hardware, software and training may be different in each organization, but the end result is a more secure environment for everyone.