Defense In Depth: Layering The Security Solutions You Provide
By Joshua Liberman, President, Net Sciences, ASCII Group Member Since 1996
One of the more common questions I see in the field is about why it is necessary to provide antivirus on the server and desktops if it is already in the firewall. It’s a simple enough question, but the answer leads to one of the most important security concepts, that of layering or Defense in Depth. Even when wearing body armor, taking cover still makes a lot of sense.
The Perimeter
It is probably safe to say that nowadays, perimeter protection is a given. A solid firewall/UTM (unified threat management) device is simply the first step to securing your network. Modern UTM devices scan the packets of all data entering your network, employing signature-based detection to neutralize all known (more on this later) threats. UTM devices can also block data based on origin (employing botnet and GEO IP filtering) and even limit or block traffic based on application type (Layer7 filtering), as well as perform such niceties as content filtering and even secure wireless access point management. But even the best UTM devices cannot be everywhere at once, and even the best signature based scanning can be beaten.
Server And Endpoint Protection
So that is where server protection comes in. For example, when running a firewall/UTM device that employs a signature based antimalware engine from Vendor A and you are looking for a second layer of protection for your server and endpoints, it makes a lot of sense to look to an alternate vendor for your next layer of protection. Vendor B may produce a signature set that detects an attack that Vendor A would have missed, and so forth. This protection (antivirus, antimalware, software firewall) should exist on as many endpoints (desktops, laptops, tablets) as possible to ensure that this second line of defense is more of a vault door than a screen door. If your defenses are easily circumvented, they are not very good defenses.
Beyond Perimeter, Server, And Endpoints
The modern network doesn’t have the nice, clean, and linear perimeters of the past, so there are many more “points of entry” now, including wireless networks, USB devices, encrypted file sharing sites (Google Drive, Dropbox) and more. In some cases advanced UTM responses are sufficient (SSL DPI for example), but in others, the attacks are so sophisticated and propagate so quickly that Zero Day attacks are more like Zero Hour now. For these and other reasons, we are in the “twilight” of signature based solutions, with more sophisticated “heuristic” analysis and response solutions moving into the small business space. These new devices and services monitor all network traffic, wired and wireless, and are the next frontier in layered security.
With our current signature based defenses against malware and intrusions, best practices always involve the layering of defenses. These are typically perimeter, server and endpoint in design, using multiple vendors. The sophistication and virulence of these new threats push traditional signature based defenses to their limit, making layering all the more vital to your defense.