Summary

This chapter presented defense in depth as a solution to secure a business network. Defense in depth is a concept using layers of defense to mitigate computer and network attacks. Those who fully deployed defense in depth were protected from the major worms and viruses that hit the Internet in recent years.

The basic building blocks of defense in depth are as follows:

• Authentication Control who gains access to your network by deploying username and password authentication along with access control.

• Perimeter security Expose only Internet addresses that you choose and control access to those services (usually public servers such and web and DNS servers). Perimeter security also provides DDoS protection for your security appliance.

• Network intrusion prevention The valid traffic that is let into your network is inspected by security appliance intrusion prevention and service policy rules to ensure that there isn't known attack traffic within the data. This traffic can be dropped or reported depending on the available bandwidth of your security appliance.

• Host intrusion prevention The last stop for attack prevention. This software runs on the host and provides protection for both known and unknown (day-zero) attacks. Host intrusion prevention software looks at the behavior of the operating system, the network stack, and the applications to determine whether an attack is happening. If an attack is detected, the software kills the process responsible for the attack. This technology is critical to a complete defense-in-depth implementation.

This book shows how to implement defense in depth on the ASA/PIX Security Appliance using ASDM. The following technologies and best practices are used to deploy defense in depth.

Local device authentication (usernames and passwords) verifies management access to the security appliance.

Perimeter security is implemented via the ASA/PIX Security Appliance using NAT for publishing Internet-reachable addresses; these are typically your web servers, mail servers, and DNS servers. Access to this exposed address is granted based on inbound access lists. Internet users cannot use your public services unless there is a specific access list allowing them to access these services. The ASA/PIX Security Appliance uses the technology listed in Table 2-2 to mitigate against various DoS attacks that can be expected from the Internet.

Host intrusion prevention is used as the critical last line of threat defense. It is the only portion of defense in depth that you cannot achieve using the ASA/PIX Security Appliance. CSA stops attacks based on the behavior of operating systems, network stacks, and applications.

Additional best practices that are discussed in this chapter include remotes-access and security management. The ASA/PIX Security Appliance implements remote access using a combination of IPSec and authentication. In addition to these technologies, CSA is required on the hosts that will connect to the network remotely, thus ensuring that the unregulated computers that might connect via IPSec won't spread viruses or worms to the internal network.

Security management best practices suggest choosing difficult-to-guess usernames and passwords for access to your security appliance and recommend that a remote syslog server be used to capture error messages for troubleshooting and security purposes.