The Importance of a Defense In-depth Approach to Network Security to Provide Protection Against Internal and External Attacks and Vulnerabilities White Paper
Table of Contents
EXECUTIVE SUMMARY 4
INTRODUCTION 5
DATA COMMUNICATIONS – THE OSI MODEL 6
MEDIA LAYERS 7
HOST LAYERS 7
DEFENSE IN-DEPTH 8
FIREWALLS 8
NETWORK INTRUSION DETECTION/PREVENTION SYSTEMS (IDPS) 8
Signature Updates 9
User-defined Custom Signatures 10
HOST-BASED INTRUSION DETECTION SYSTEMS 10
ANTIVIRUS 11
SUMMARY 11
REFERENCES 12
Executive Summary
Modern distributed data communication systems are comprised of hardware and software that facilitate the creation, manipulation, and transmission of data across multiple computers, networks, and servers. With so many components that make up these complex systems come numerous vulnerabilities that can be exploited to compromise the integrity or availability of the data they were designed to support. These multiple attack vectors require a multi-tiered defense strategy, known as defense in-depth (Stewart, Tittel & Chapple, 2013).
Data communication networks have multiple ingress and egress points throughout the design where data enters and leaves the network. These boundaries exist between different segments of a corporate network. One such boundary is between the network backbone and the remote sites. Other examples are between the backbone and Internet-facing demilitarized zones (DMZs) where resources such as web servers exist, and between the backbone and the Internet. This logical segmentation is necessary to define limitations for broadcast communication protocols, to isolate types of systems and data, and also to apply security policy specific to those systems and data (Oppenheimer, 2011).
The Open Systems Interconnection (OSI) model of data communication is a model that defines how computers communicate with one another, agnostic of specific hardware, software, and protocols. Purpose-built computers known as ‘firewalls’ are deployed at the ingress and egress points of a network to monitor traffic at the lower layers (one through three) of the OSI model. Network Intrusion
EXECUTIVE SUMMARY 4
INTRODUCTION 5
DATA COMMUNICATIONS – THE OSI MODEL 6
MEDIA LAYERS 7
HOST LAYERS 7
DEFENSE IN-DEPTH 8
FIREWALLS 8
NETWORK INTRUSION DETECTION/PREVENTION SYSTEMS (IDPS) 8
Signature Updates 9
User-defined Custom Signatures 10
HOST-BASED INTRUSION DETECTION SYSTEMS 10
ANTIVIRUS 11
SUMMARY 11
REFERENCES 12
Executive Summary
Modern distributed data communication systems are comprised of hardware and software that facilitate the creation, manipulation, and transmission of data across multiple computers, networks, and servers. With so many components that make up these complex systems come numerous vulnerabilities that can be exploited to compromise the integrity or availability of the data they were designed to support. These multiple attack vectors require a multi-tiered defense strategy, known as defense in-depth (Stewart, Tittel & Chapple, 2013).
Data communication networks have multiple ingress and egress points throughout the design where data enters and leaves the network. These boundaries exist between different segments of a corporate network. One such boundary is between the network backbone and the remote sites. Other examples are between the backbone and Internet-facing demilitarized zones (DMZs) where resources such as web servers exist, and between the backbone and the Internet. This logical segmentation is necessary to define limitations for broadcast communication protocols, to isolate types of systems and data, and also to apply security policy specific to those systems and data (Oppenheimer, 2011).
The Open Systems Interconnection (OSI) model of data communication is a model that defines how computers communicate with one another, agnostic of specific hardware, software, and protocols. Purpose-built computers known as ‘firewalls’ are deployed at the ingress and egress points of a network to monitor traffic at the lower layers (one through three) of the OSI model. Network Intrusion
References: Beale, J., Baker, A. R., Esler, J., & Northcutt, S. (2009). Snort, ids and ips toolkit. Syngress Media Inc. Cerf, V. G., & Cain, E. (1983). The DoD internet architecture model. Computer Networks (1976), 7(5), 307-318. doi:10.1016/0376-5075(83)90042-9 Greensmith, J., & Aickelen, U. (2005). Firewalls, intrusion detection systems and anti-virus scanners. School of Computer Science and Information Technology, University of Nottingham, Jubiliee Campus, Nottingham, UK. , Available from Academia.edu. Retrieved August 3, 2013 from http://www.academia.edu/780147/Firewalls_Intrusion_Detection_and_Anti-virus_Scanners McMillan, T. (2012). Cisco networking essentials. Indianapolis, Ind: John Wiley & Sons. McQuade, S. C., & ebrary, I. (2009). Encyclopedia of cybercrime. Westport, Conn: Greenwood Press. Newman, R. C. (2010). Computer security: Protecting digital resources. Sudbury, Mass: Jones and Bartlett Publishers. Oppenheimer, P. (2011). Top-down network design. (3rd ed.). Indianapolis, Ind: Cisco Press. Raymond, E. S. (2001). How to become a hacker. Retrieved from http://catb.org/~esr/faqs/hacker-howto.html Stewart, J. M., Tittel, E., & Chapple, M. (2013). Cissp, certified information systems security professional study guide. (5th ed. ed.). Indianapolis: Sybex.