Let's once again review the notion of defense in depth. Consider that august bastion of protection, the medieval castle. Did the serfs lull the despot into believing that a simple moat was sufficient to protect the castle from invasion? Surely not. An attacker faced a formidable array of defensive elements as he or she attempted to steal the crown jewels :
The castle loomed high on a hill.
The terrain up this hill was treacherous.
A moat surrounded the castle.
Hungry, flesh- eating beasts infested the moat.
Thick exterior walls fortified the castle's structure.
Watch guards armed with flaming arrows kept post at the castle's corners, accompanied by boiling oil and bovine carriers of several diseases.
Opening the entrance to the caste from the outside was monumentally difficult.
The castle's passages were dark and twisty.
Unfriendly guards plied the passages, and they generally weren't prone to asking questions because it slowed the effectiveness of their very sharp swords.
Strong wooden doors separated passages and rooms.
A phalanx of even more guards kept station outside the crown room.
A heavy iron chain and lock bound the wooden jewel chest.
The chest was booby-trapped.
Thirteen layers of defense separated an attacker from a typical despot's crown jewel collection. Maybe we can learn something from this as we try to separate attackers from our networks' crown jewels?
A network's primary function is delivering bits as quickly and as reliably as possible. For too long, the network has struggled with a second, somewhat mutually exclusive, duty: protecting those same bits from accidental or intentional misuse. Network membershosts, applications, usersrelied on the network for all protection. Considering that our information security taxonomy now has six elements, all of which are required for complete protection, no longer can you rest your entire protection at the network edge. That's why we spend considerable time throughout this book explaining effective security techniques at all layers. And by locating security responsibilities throughout the landscape, the network can return to its first, best calling.
That isn't to say that the network shouldn't retain any kind of defense. Far from it. In discharging its duties of delivering bits as quickly and as reliably as possible, the network must take charge of its own defenseprotecting itself from attack and compromise. Therefore, in light of the information security taxonomy with corollariesconfidentiality and possession, integrity and authenticity, availability and utilitywhere does network security fit? Such technology is mostly preventive, allowing access only to permitted networks, hosts , protocols, and ports. Given that definition, then, network security is mostly about availability of the hosts, the applications, and the data within.