defense in depth: (DOD, NATO) The siting of mutually
supporting defense positions designed to absorb and progressively
weaken attack, prevent initial observations of the whole position by
the enemy, and to allow the commander to maneuver his reserve.
--- from the DOD Dictionary of Military Terms
Defense in depth design principles
Defense in depth is a fundamental design principle for security
and defensive systems. It is a key strategy when planning the overall
defensive design of a castle, computer network, city, force
positioning, or computer system. In some ways, it is the
application of design margin to security. By making security not
have a single point of failure, weaknesses in design,
implementations, algorithms, or protocols are not fatal by themselves.
There are a number of aspects to defense in depth:
- Layering for redundancy: Defenses should be composed from
multiple independent layers. If any one layer should fail,
the other layers remain to protect the critical assets.
It is important the redundancy of layers is real
and that there aren't some attack tree paths that
are substantially weaker than others. The overall
security of the system is only as strong as its weakest link,
so it's important that layers are composed on all paths.
- Visibility into failures: It is important to have
visibility into the integrity of every layer. It should
ideally not be possible for any one layer to be compromised or
otherwise fail without this being detected. This gives the
defender early detection of attacks, along with the
corresponding ability to respond, reposition defenses, or
counter-attack. It also allows the defender to estimate the
degree of compromise, providing the ability for measured
response.
- Limit externally-visible exposure: By layering defenses,
attackers may only have information about the layers that are
exposed to them, either initially or through the
compromise of outer layers. This severely limits their ability
to plan ahead, making their attack both slower and more likely to
be noticed. It's worth taking this as an added benefit, however,
for there's a serious risk in relying on security through
obscurity and underestimating the amount of information
available to an attacker. To avoid detection, an attacker must therefore be
perfect while simultaneously being ignorant of what is ahead.
- Containment of failures: By compartmentalizing defenses,
compromises can be limited to portions of a system.
Incident response can then be a measured response
that targets the compromised areas rather than having
to treat everything as potentially compromised
(although it is worth erring on the side of assuming that things
have been compromised unless you know for certain that they haven't been).
The principle of defense in depth makes
sense to apply to both a full system and to individual subsystems.
In this way, it can be composed fractally where layered
defenses are apparent at all scales.
In constructing defensive layers, different types of layers may be
used to serve different purposes. With many of these layers, degree
of defense does not simply compose arithmetically or geometrically.
Some different purposes for layers include:
- Primary defense: These layers comprise the key to the defense
of any subsystem and when taken together defend against all attacks
against the subsystem. Every subsystem must have one or more of these
layers. In many cases, this layer is simply vigilance in
design and implementation.
- Attack/intrusion detection:
These layers are often transparent or invisible to attackers,
but provide defenders with information about attackers,
the nature of attacks, and their degree of success at compromise.
- Focused defense: These layers, designed to be used
in conjunction with more general-purpose defenses,
defend against particular attacks. These can be used to
strengthen the weaker parts of primary defenses and
to add additional protection against common attacks.
- Raising the bar: These layers do not necessarily
stand alone or provide any real protection but instead
make attacks harder and decrease the number of potential attackers
who have the skills and resources to mount a successful attack.
Security through obscurity may not be effective as a primary
defense, but it can help raise the bar.
Examples in physical defensive strategies
Defense in depth has been employed for thousands of years
in the design of fortifications. Castles are
one of the better demonstrations of the effectiveness
of this design principle. Medieval castles
had multiple layers of defense, going from the hill
or position in which they were built, to far outer walls,
to a moat, to the primary outer walls (bailey), to inner walls, to
an inner keep/tower, to defenses within the tower.
The outermost defenses would slow down attackers and reduce
the element of surprise while the defenders could fall back
to inner positions as outer layers were compromised.
Examples in networks and computer systems
When applied to computer networks, systems,
and individual hosts, defense in depth involves placing redundant
protections at many levels. On the perimeter, a corporate network
may have a firewall and an IDS (intrusion detection system).
Internally, the network may be compartmentalized such that servers
and user machines for different organizations are firewalled from each
other. Critical assets (such as authentication servers) may even
have additional protections in front of them.
In addition to layered perimeter defenses, individual machines and
communication channels should have their own protections.
Machines should be protected
themselves (for example, only running services that need to be
running, have security patches applied promptly, etc.) Machines
should avoid transitive trust and principle of
least privilege should be obeyed. Machines should have host-based
intrusion detection systems (such as virus checkers).
Even if network layer channels between machines are encrypted
through something like IPsec, end-to-end security
(encryption, authentication, and authorization) should still be
performed at or close to the application layer.
Software components running on machines can also be designed for
defense in depth. In addition to paranoid design and implementation
(for example, in avoiding buffer overruns), components
should validate their inputs and not implicitly trust even
other components running on the same machine. When possible,
components should only have the capabilities that they need
and should be running in restricted environments.
A common mistake of Information Systems executives is
assuming that a firewall will solve all of their company's
network security problems. However, firewalls should only
be a component to a coherent defensive strategy. By themselves,
they are only an outer wall that provides protection to
attackers from the outside. Not only do the reported majority
of corporate computer security incidents come from the inside
*,
but firewalls are insufficient by themselves at protecting companies
from attacks from the outside. A great example of the dangers
in relying on firewalls was provided by the Code Red Worm
which infected employee laptops at home and was then carried inside
of corporate firewalls where it proceeded to infect internal systems.