Security

Understanding layered security and defense in depth

What are "layered security" and "defense in depth" and how can they be employed to better protect your IT resources? Understanding these strategies and how they can be used to improve your own security is important for any system or network administrator.

Sometimes it seems like everybody talks about "layered security", "layered defense", or "defense in depth", but nobody really knows what it means. The three phrases are often used interchangeably -- but just as often, someone will use two of them to mean completely different things. There are actually two separate, but in some respects very similar, concepts that may be named by these phrases.

Layered Security

A layered approach to security can be implemented at any level of a complete information security strategy. Whether you are the administrator of only a single computer, accessing the Internet from home or a coffee shop, or the go-to guy for a thirty thousand user enterprise WAN, a layered approach to security tools deployment can help improve your security profile.

In short, the idea is an obvious one: that any single defense may be flawed, and the most certain way to find the flaws is to be compromised by an attack -- so a series of different defenses should each be used to cover the gaps in the others' protective capabilities. Firewalls, intrusion detection systems, malware scanners, integrity auditing procedures, and local storage encryption tools can each serve to protect your information technology resources in ways the others cannot.

Security vendors offer what some call vertically integrated vendor stack solutions for layered security. A common example for home users is the Norton Internet Security suite, which provides (among other capabilities):

  1. an antivirus application
  2. a firewall application
  3. an anti-spam application
  4. parental controls
  5. privacy controls

Corporate vendors of security software are in an interesting position. In order to best serve their business goals, they must on one hand try to sell integrated, comprehensive solutions to lock customers into single-vendor relationships, and on the other, try to sell components of a comprehensive layered security strategy individually to those who are unlikely to buy their own integrated solution -- and convince such customers that a best-of-breed approach is better than a vertically integrated stack approach to do it.

This contradictory set of needs has produced quite a few conflicting marketing pitches from security software vendors, and produces a lot of confusion among client bases at times. For this reason alone, it is no wonder that people are often at a loss to clearly articulate any reasonable, practical definition of "layered security".

The term "layered security" does not refer to multiple implementations of the same basic security tool. Installing both ClamWin and AVG Free on the same MS Windows machine is not an example of layered security, even if it achieves some of the same benefit -- making several tools each cover for the others' failings. This is a case of redundancy rather than layering; by definition, layered security is about multiple types of security measures, each protecting against a different vector for attack.

Defense In Depth

Originally coined in a military context, the term "defense in depth" refers to an even more comprehensive security strategy approach than layered security. In fact, on might say that just as a firewall is only one component of a layered security strategy, layered security is only one component of a defense in depth strategy.

Layered security arises from the desire to cover for the failings of each component by combining components into a single, comprehensive strategy, the whole of which is greater than the sum of its parts, focused on technology implementation with an artificial goal of securing the entire system against threats. Defense in depth, by contrast, arises from a philosophy that there is no real possibility of achieving total, complete security against threats by implementing any collection of security solutions. Rather, technological components of a layered security strategy are regarded as stumbling blocks that hinder the progress of a threat, slowing and frustrating it until either it ceases to threaten or some additional resources -- not strictly technological in nature -- can be brought to bear.

A layered security solution also assumes a singular focus on the origins of threats, within some general or specific category of attack. For instance, vertically integrated layered security software solutions are designed to protect systems that behave within certain common parameters of activity from threats those activities may attract, such as Norton Internet Security's focus on protecting desktop systems employed for common purposes by home users from Internet-borne threats. Defense in depth, on the other hand, assumes a broader range of possibilities, such as physical theft followed by forensic recovery of data by unauthorized persons, incidental threats as a result of dangers that do not specifically target the protected systems, and even perhaps such exotic threats as van Eck phreaking.

Defense in depth strategies also include other security preparations than directly protective. They also address such concerns as:

  1. monitoring, alerting, and emergency response
  2. authorized personnel activity accounting
  3. disaster recovery
  4. criminal activity reporting
  5. forensic analysis

One of the most important factors in a well-planned defense in depth strategy is taking advantage of threat delay. By ensuring rapid notification and response when attacks and disasters are underway, and delaying their effects, damage avoidance or mitigation that cannot be managed by purely technological measures can be enacted before the full effects of a threat are realized. For instance, while a honeypot system may not itself stop a malicious security cracker who has gained unauthorized access to a network indefinitely, it might facilitate notification of the breach to network security specialists and delay his progress long enough that the security specialists can identify and/or eject the intruder before any lasting damage is done.

Layered Security vs. Defense In Depth

Layered security and defense in depth are two different concepts with a lot of overlap. They are not, however, competing concepts. A good layered security strategy is extremely important to protecting your information technology resources. A defense in depth approach to security widens the scope of your attention to security and encourages flexible policy that responds well to new conditions, helping ensure you are not blindsided by unexpected threats.

Each of these strategic philosophies of security should inform your treatment of the other, so that normally overwhelming circumstances for a more narrow and brittle security strategy such as simultaneous attacks by independent threats, far greater intensity of attack than expected, and threats that seem to have strayed from their more common targets might all be effectively warded off. Both are worth understanding -- and the first step to that is understanding how they differ from one another, how they are similar, and the relationship between them.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

10 comments
lastdisciple
lastdisciple

Is there an training you recommend if you are new to security?

apotheon
apotheon

Has this article helped clarify the differences and relationship between layered security and defense in depth? Is there more you'd like to know about one or both? What layered security and defense in depth measures do you employ or recommend for others? What mistakes in these areas do you think are too common, and should be addressed?

robo_dev
robo_dev

Of course the Internet is one big classroom.... If you are looking to get certification such as CISSP or Security+, there are lots of prep courses for that. If you have a particular technology to support, then get trained to be an expert on that technology, and you'll be well equipped to configure that technology securely.

apotheon
apotheon

I haven't kept up with formal security training trends, so I'm afraid I don't have any recommendations for that. On the other hand, you can get started by reading my very first article for TechRepublic's IT Security Weblog, [url=http://blogs.techrepublic.com.com/security/?p=256][i]Five steps to becoming the local security guru[/i][/url], if you're willing and able to teach yourself. If you can't/won't teach yourself, you'd probably just be another paper-cert "industry best practices" kind of guy anyway.

Neon Samurai
Neon Samurai

That's the most common error I see these days. "why should I use the wifi switch on my computer when I'm only connecting to trusted networks and the network at the airport? Turning my wireless off and on is too complicated." "why should we turn on firewalls for indavidual machines when we have a firewall on the gateway? Besides, that will make administrating machines remotely more complicated." and on.. and on.. Now, that's not all bad. I like having to justify my recommendations with solid supporting points. I wouldn't want to make a recommendation I couldn't back up with sound reasons. It does put some work ahead of me though.

robo_dev
robo_dev

It was thought provoking and on-target. You do mention one vendor's product twice in the article....and my experience with that vendor has been a love/hate relationship over time, and getting lovey-dovey with one vendor hurts your cred. One suggestion would be to add more real-world examples, such as a web-based application, protected by a firewall, with a backend database with encrpyted fields being monitored by an IDS/IPS. An effective defense-in-depth strategy for a critical web-based application is waaaaay more than just a well patched server and a good firewall. It starts with your change management process for application development, and goes as far as what type of background checks your HR department performs for new hires. The biggest mistakes in these areas are underestimating the enemy and not having strong IT governance and discipline. Underestimating the Enemy: Today there are thousands of people whose sole source of income is breaching computer security in order to steal money or information. Lack of IT Governance and Discipline: The most secure encrypted firewalled fortress can be hacked if your security guy has a bad day and pushes a bad firewall rule by accident.

trent
trent

There aren't enough organizations that use automated user access control and posture for endpoints in their networks. A policy server can help force users laptops to run A/V or A/S apps to do what you're talking about. Most I talk to about our product don't understand that you can make it easier for the user. Frustrating...

apotheon
apotheon

"[i]You do mention one vendor's product twice in the article....and my experience with that vendor has been a love/hate relationship over time, and getting lovey-dovey with one vendor hurts your cred.[/i]" I only used it as an example. I didn't say it was any good. Personally, I think Norton Internet Security is crap -- but that's not what the article was about. I only mentioned it more than once to maintain a consistent example context. The reason I chose NIS for that purpose is simply the fact that it's the market dominating product in its class, with more market share than its direct competitors.

apotheon
apotheon

The problem with that suggestion is that I tend to feel that selling vertically integrated vendor stacks leads one to make the same mistakes Symantec has with Norton Internet Security. In short, the reason I dislike NIS is basically the reason I dislike vertically integrated vendor stacks -- so I didn't see any reason not to just use NIS as my example. In fact, I think NIS is one of the best examples one could come up with, because it is widely known for its failings -- and thus serves as a good demonstration of what's wrong with vertically integrated vendor stack design. . . . and thanks for the overall positive review of the article.

robo_dev
robo_dev

Any time I read any article, I tend to make assumptions about the author based on the details of the story. So when a product of any type is mentioned, this makes me question if there is any subtle endorsement going on, that's all. If you truly despise the processor-hogging, popup generating trainwreck that NIS is, then my suggestion is to pick something else, that's all. My suggestion would be to pick an example of a product that most security folks would have respect for....Checkpoint Firewall-1? SecureComputing Sidewinder Firewall? Again, a good article which expresses a concept that is often misunderstood. cheers