defense in depth: (DOD, NATO) The siting of mutually supporting defense positions designed to absorb and progressively weaken attack, prevent initial observations of the whole position by the enemy, and to allow the commander to maneuver his reserve.
--- from the DOD Dictionary of Military Terms

Defense in depth design principles

Defense in depth is a fundamental design principle for security and defensive systems. It is a key strategy when planning the overall defensive design of a castle, computer network, city, force positioning, or computer system. In some ways, it is the application of design margin to security. By making security not have a single point of failure, weaknesses in design, implementations, algorithms, or protocols are not fatal by themselves.

There are a number of aspects to defense in depth:

  • Layering for redundancy: Defenses should be composed from multiple independent layers. If any one layer should fail, the other layers remain to protect the critical assets. It is important the redundancy of layers is real and that there aren't some attack tree paths that are substantially weaker than others. The overall security of the system is only as strong as its weakest link, so it's important that layers are composed on all paths.
  • Visibility into failures: It is important to have visibility into the integrity of every layer. It should ideally not be possible for any one layer to be compromised or otherwise fail without this being detected. This gives the defender early detection of attacks, along with the corresponding ability to respond, reposition defenses, or counter-attack. It also allows the defender to estimate the degree of compromise, providing the ability for measured response.
  • Limit externally-visible exposure: By layering defenses, attackers may only have information about the layers that are exposed to them, either initially or through the compromise of outer layers. This severely limits their ability to plan ahead, making their attack both slower and more likely to be noticed. It's worth taking this as an added benefit, however, for there's a serious risk in relying on security through obscurity and underestimating the amount of information available to an attacker. To avoid detection, an attacker must therefore be perfect while simultaneously being ignorant of what is ahead.
  • Containment of failures: By compartmentalizing defenses, compromises can be limited to portions of a system. Incident response can then be a measured response that targets the compromised areas rather than having to treat everything as potentially compromised (although it is worth erring on the side of assuming that things have been compromised unless you know for certain that they haven't been).

The principle of defense in depth makes sense to apply to both a full system and to individual subsystems. In this way, it can be composed fractally where layered defenses are apparent at all scales.

In constructing defensive layers, different types of layers may be used to serve different purposes. With many of these layers, degree of defense does not simply compose arithmetically or geometrically. Some different purposes for layers include:

  • Primary defense: These layers comprise the key to the defense of any subsystem and when taken together defend against all attacks against the subsystem. Every subsystem must have one or more of these layers. In many cases, this layer is simply vigilance in design and implementation.
  • Attack/intrusion detection: These layers are often transparent or invisible to attackers, but provide defenders with information about attackers, the nature of attacks, and their degree of success at compromise.
  • Focused defense: These layers, designed to be used in conjunction with more general-purpose defenses, defend against particular attacks. These can be used to strengthen the weaker parts of primary defenses and to add additional protection against common attacks.
  • Raising the bar: These layers do not necessarily stand alone or provide any real protection but instead make attacks harder and decrease the number of potential attackers who have the skills and resources to mount a successful attack. Security through obscurity may not be effective as a primary defense, but it can help raise the bar.


Examples in physical defensive strategies

Defense in depth has been employed for thousands of years in the design of fortifications. Castles are one of the better demonstrations of the effectiveness of this design principle. Medieval castles had multiple layers of defense, going from the hill or position in which they were built, to far outer walls, to a moat, to the primary outer walls (bailey), to inner walls, to an inner keep/tower, to defenses within the tower. The outermost defenses would slow down attackers and reduce the element of surprise while the defenders could fall back to inner positions as outer layers were compromised.


Examples in networks and computer systems

When applied to computer networks, systems, and individual hosts, defense in depth involves placing redundant protections at many levels. On the perimeter, a corporate network may have a firewall and an IDS (intrusion detection system). Internally, the network may be compartmentalized such that servers and user machines for different organizations are firewalled from each other. Critical assets (such as authentication servers) may even have additional protections in front of them.

In addition to layered perimeter defenses, individual machines and communication channels should have their own protections.

Machines should be protected themselves (for example, only running services that need to be running, have security patches applied promptly, etc.) Machines should avoid transitive trust and principle of least privilege should be obeyed. Machines should have host-based intrusion detection systems (such as virus checkers).

Even if network layer channels between machines are encrypted through something like IPsec, end-to-end security (encryption, authentication, and authorization) should still be performed at or close to the application layer.

Software components running on machines can also be designed for defense in depth. In addition to paranoid design and implementation (for example, in avoiding buffer overruns), components should validate their inputs and not implicitly trust even other components running on the same machine. When possible, components should only have the capabilities that they need and should be running in restricted environments.

A common mistake of Information Systems executives is assuming that a firewall will solve all of their company's network security problems. However, firewalls should only be a component to a coherent defensive strategy. By themselves, they are only an outer wall that provides protection to attackers from the outside. Not only do the reported majority of corporate computer security incidents come from the inside *, but firewalls are insufficient by themselves at protecting companies from attacks from the outside. A great example of the dangers in relying on firewalls was provided by the Code Red Worm which infected employee laptops at home and was then carried inside of corporate firewalls where it proceeded to infect internal systems.