Defense in depth is the practice of layering defenses to provide added protection. Defense in depth increases security by raising the cost of an attack. This system places multiple barriers between an attacker and your business-critical information resources: The deeper an attacker tries to go, the harder it gets. These multiple layers prevent direct attacks against important systems and avert easy reconnaissance of your networks. In addition, a defense-in-depth strategy provides natural areas for the implementation of intrusion-detection technologies. Ideally, the defense-in-depth measures you implement should buy you time to detect and respond to a breach, reducing its impact.

In many environments, defense in depth can be implemented with few incremental equipment costs. Most router and switch vendors provide access-control mechanisms within their products. Although many security professionals would not rely solely on VLANs (virtual LANs) and router ACLs (access-control lists) for Internet-based security controls, their implementation as internal controls can be valuable. The keys are to ensure that these mechanisms are implemented according to your business risks and that they are monitored and maintained.

Classifying Network-Security Domains

To implement a network-access control, such as a firewall, you must define the boundaries between security domains in your enterprise. A network-security domain is a region of a network that shares a common security policy. Most companies begin to define network-security domains simply when they connect to the Internet. But today's business models require connectivity--logical and physical--between your enter- prise and the Internet and between your enterprise and the networks of business partners, information providers and customers.

A simple, two-domain network security model doesn't capture the complexity of the relationships between these various networks. From a security perspective, the differences between networks are much more complicated than "internal" and "not internal." With this scheme, how would you categorize extranet connections to business partners? What about systems and networks that support highly sensitive functions, such as HR?

Clearly, some networks have different security needs. To further complicate matters, some highly sensitive networks may need to provide services to a larger population. For example, an HR network may want to set up an intranet for employee self-service, letting workers view their time-off allotment or change insurance beneficiaries or mailing addresses.

Once you have defined the network-security domains within your enterprise, it's necessary to examine the interactions between domains. This includes the traffic and data flows, as well as the access required. Access-control technologies can be used to manage security-policy enforcement at the boundaries between network-security domains, and network intrusion-detection solutions can be used to monitor for attacks and other violations. The remaining step is to find a way to keep critical data protected while still providing access for authorized personnel.

A critical network-design element that has found its place in Internet hosting is the demilitarized zone, or DMZ. This element can be used internally, as well as for Internet and extranet services, to provide an additional layer of control and security to protect critical information resources.

DMZ

The term demilitarized zone comes to the IS world from the military, where it is defined as an area in which military actions are prohibited. In the technology arena, DMZs were first defined as the network segment between the external interface of a firewall and the internal interface of an external (often an Internet) router.

DMZ has evolved, however, to mean an isolated network segment for providing services to untrusted systems. Today the term is most often used by IT professionals to refer to a network segment between two firewalls (see "sandwich DMZ"), or a "dead-end" or "wing" network connected to a firewall (see "Single-Firewall DMZ"). Other common names for a DMZ are services network and atrium.

Regardless of its name, the DMZ's purpose is to segregate sensitive internal networks from other networks while allowing services to be offered--a defense-in-depth strategy for the network layer. Traffic cannot flow into or out of the DMZ without being forwarded through a network access-control system.