Building an In-Depth Defense

posted onJuly 12, 2001
by hitbsecnews

Network security continues to grow more complex. Services that once were centralized and available to a relatively small group of internal users are becoming decentralize d and available to a wide audience via the Internet and extranets. For many organizations, the audience now comprises users within the enterprise as well as customers, business partners and prospects beyond traditional network boundaries.

Enabling access to critical applications and data while maintaining the confidentiality, integrity and availability of these resources can be a daunting task. One of the first steps to completing it is to use network segmentation and access-control methodologies. Defense in Depth

Defense in depth is the practice of layering defenses to provide added protection. Defense in depth increases security by raising the cost of an attack. This system places multiple barriers between an attacker and your business-critical information resources: The deeper an attacker tries to go, the harder it gets. These multiple layers prevent direct attacks against important systems and avert easy reconnaissance of your networks. In addition, a defense-in-depth strategy provides natural areas for the implementation of intrusion-detection technologies. Ideally, the defense-in-depth measures you implement should buy you time to detect and respond to a breach, reducing its impact.

In many environments, defense in depth can be implemented with few incremental equipment costs. Most router and switch vendors provide access-control mechanisms within their products. Although many security professionals would not rely solely on VLANs (virtual LANs) and router ACLs (access-control lists) for Internet-based security controls, their implementation as internal controls can be valuable. The keys are to ensure that these mechanisms are implemented according to your business risks and that they are monitored and maintained.

Classifying Network-Security Domains

To implement a network-access control, such as a firewall, you must define the boundaries between security domains in your enterprise. A network-security domain is a region of a network that shares a common security policy. Most companies begin to define network-security domains simply when they connect to the Internet. But today's business models require connectivity--logical and physical--between your enter- prise and the Internet and between your enterprise and the networks of business partners, information providers and customers.

A simple, two-domain network security model doesn't capture the complexity of the relationships between these various networks. From a security perspective, the differences between networks are much more complicated than "internal" and "not internal." With this scheme, how would you categorize extranet connections to business partners? What about systems and networks that support highly sensitive functions, such as HR?

Clearly, some networks have different security needs. To further complicate matters, some highly sensitive networks may need to provide services to a larger population. For example, an HR network may want to set up an intranet for employee self-service, letting workers view their time-off allotment or change insurance beneficiaries or mailing addresses.

Once you have defined the network-security domains within your enterprise, it's necessary to examine the interactions between domains. This includes the traffic and data flows, as well as the access required. Access-control technologies can be used to manage security-policy enforcement at the boundaries between network-security domains, and network intrusion-detection solutions can be used to monitor for attacks and other violations. The remaining step is to find a way to keep critical data protected while still providing access for authorized personnel.

A critical network-design element that has found its place in Internet hosting is the demilitarized zone, or DMZ. This element can be used internally, as well as for Internet and extranet services, to provide an additional layer of control and security to protect critical information resources.

DMZ

The term demilitarized zone comes to the IS world from the military, where it is defined as an area in which military actions are prohibited. In the technology arena, DMZs were first defined as the network segment between the external interface of a firewall and the internal interface of an external (often an Internet) router.

DMZ has evolved, however, to mean an isolated network segment for providing services to untrusted systems. Today the term is most often used by IT professionals to refer to a network segment between two firewalls (see "sandwich DMZ"), or a "dead-end" or "wing" network connected to a firewall (see "Single-Firewall DMZ"). Other common names for a DMZ are services network and atrium.

Regardless of its name, the DMZ's purpose is to segregate sensitive internal networks from other networks while allowing services to be offered--a defense-in-depth strategy for the network layer. Traffic cannot flow into or out of the DMZ without being forwarded through a network access-control system.

Policies on firewalls and access-control systems define and restrict all traffic passing through the DMZ. In contrast, traffic flow on the Internet and between internal corporate networks is usually unrestricted.

DMZ's Primary Role

The primary role of a DMZ is to mitigate risks associated with offering services to untrusted clients. A DMZ accomplishes this by providing network-level protection for your hosting environment, as well as segregating public hosting facilities from your private network infrastructure.

For example, if you're hosting a Web site, anyone with a browser can connect to it. Without a DMZ configuration, your hosting systems reside either outside your firewall (exposed to the Internet) or on a network segment in your internal network. The former scenario leaves your Web-hosting environment open to all attacks. The latter could lead to attacks against other internal, more critical systems should your Web-hosting systems be compromised. A DMZ lets you protect your Internet servers while safeguarding your mission-critical internal systems.

DMZs also play a role in securing other services inside the enterprise: those systems and data--HR or payroll records, for example--that should be available only to certain staff members. Because a relatively small population needs access to this data, you can segregate these systems to improve security.

An internal DMZ is ideal for the self-service HR intranet we mentioned. The DMZ lets you protect both the Web application server and the critical database systems (see "Secure DMZ Configuration"). This is because you need to allow only HTTP/HTTPS traffic into the DMZ Web server and database network traffic (such as SQLnet) from the DMZ Web server to the HR database system.

In most enterprises the perception is that a firewall provides a hardened perimeter. However, the security of internal networks and hosts is usually very soft. In such an environment, a non-DMZ system that is offering services to the Internet creates the opportunity to leapfrog to other hosts in the soft interior of your network. In this scenario your internal network is fair game for any attacker who manages to penetrate your so-called hard perimeter. Given the vulnerabilities and exploits available, it is safe to assume that your perimeter will be breached. It's only a question of when and how (see "Anatomy of a Network Intrusion," October 18, 1999).

One approach is to put into a DMZ hosts that do not contain sensitive data but instead proxy access to the data. This can occur via an application interface, such as a Web site, or via a network protocol reverse proxy, such as HTTP or SQLnet. This separation of data from the application layer within the network provides an additional level of security, because a compromise of the DMZ system doesn't directly expose the internal systems that house business-critical data to network attacks. Now an attacker has an additional barrier to overcome once an initial penetration has been successful. And you have more time to respond to the attack before critical data is compromised.

Host Hardening

A DMZ configuration provides a natural layer for the implementation of additional security measures, such as host hardening and network or host-based intrusion detection. Host hardening is the process of configuring host systems so they are more secure than the default configuration, which typically is sorely lacking in security. Implementing host security raises an attack's difficulty and cost.

As an IT administrator, you may not be able to require that all systems deployed in an enterprise meet strict hardened security requirements. However, you may be able to insist on such requirements for DMZ-based systems and business-critical back-end systems, because they are a small subset of existing systems and there is a general understanding that they are exposed to higher risks than are general-purpose internal systems. Also, the effort in managing and maintaining this special high-security configuration is relatively low, because it comprises a small number of systems.

Border Patrol

A DMZ configuration with intrusion detection can add significant security benefits. As noted, the DMZ buys time for administrators to respond to an attack, because the attack is segregated from internal systems by your network-access controls. Your high-value data and systems are elsewhere, so the attacker must spend time finding a way out of your DMZ and into them. This "time-based" security lets you protect business-critical systems and data through the use of monitoring and response procedures. The key is to make sure you have properly tuned your IDS systems and that your incident-response procedures are well-defined and communicated.

Limit Egress Traffic

A DMZ also can limit outbound access to extranets or the Internet. A DMZ restricts outbound access from a DMZ host, increasing the security of your internal systems and preventing an intruder from using your network as a launching pad for attacks against others. If your DMZ allows only essential outbound traffic, the chance that your compromised system will be used to attack a third party or your internal system will be greatly reduced.

The key to realizing a DMZ's benefits is to understand that it is only part of a comprehensive program for defense in depth. The value of a DMZ can be increased through intrusion-detection systems and host-based security measures. This combination of controls and monitoring technologies can go a long way to mitigating the risks associated with providing broad access to business-critical data.

Brooke Paul is vice president of AFG Technology Division, part of American Financial Group. His duties include information security program management for AFG. Send your comments on this article to him at bpaul@nwc.com. The opinions expressed here represent the author's opinions and not necessarily those of AFG, its affiliates or subsidiaries.

Network Computing

Source

Tags

Networking

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs