There is an interesting dichotomy with respect to network security and network diversity. That is, homogeneous networks are easier to manage and configure, making them good for your organization's security in some ways. In other ways, they are bad because they offer a single point of compromise for a given piece of your IT infrastructure. The best example is in the area of desktop systems.
Today, the vast majority of organizations have standardized on Microsoft application and operating system software for the desktop. Microsoft Internet Explorer is the most popular web browser, and the various flavors of Microsoft Outlook are the most popular e-mail clients. Both of these systems are based on popular Internet standards (SMTP, IMAP, POP3, HTTP, SSL, and so on). Setting aside the rise of website development that requires a specific browser, any standards-compliant web browser or e-mail client could be used instead of the Microsoft variants. Most organizations stay with Microsoft products, however, which leaves an entire organization vulnerable to a well-written exploit for either of these applications.
This idea extends to the Internet as a whole. If I am a malicious virus writer, am I going to target less than 5 percent of the Internet's hosts by targeting Macintosh computers or am I going to try for the greater than 90 percent of the hosts running some variation of Microsoft Windows? The answer is obvious.
When the next worm comes out targeting Outlook, users of Eudora will be unaffected. This certainly doesn't increase security for organizations using Eudora because they could still be targeted by different attacks, but it does make automated attacks much less likely to be successful against systems that are not using the most popular version of a given software.
Similarly, even though the DNS is an Internet standard and there are many different DNS implementations, the vast majority of DNS servers (including many of the root servers) runs Berkeley Internet Name Domain (BIND). If an attacker were able to find a widespread problem with BIND, the DNS infrastructure could be seriously damaged. Verisign (a root name server operator) identified this as an issue and deployed a proprietary DNS server called ATLAS on its infrastructure. Although I don't like the idea of using code that hasn't seen broad security review in such a critical role, increasing heterogeneity for the Internet's DNS is a good thing. For more information, see the news article at the following URL: http://www.nwfusion.com/news/2002/133242_06-10-2002.html.
I'm not suggesting that organizations run out to migrate to OS/2 to increase their security, nor that you seek to add heterogeneous elements to your network. However, you should be aware of where homogeneity is helping you and where it might be hurting you.
Part I. Network Security Foundations
Network Security Axioms
Security Policy and Operations Life Cycle
Secure Networking Threats
Network Security Technologies
Part II. Designing Secure Networks
Device Hardening
General Design Considerations
Network Security Platform Options and Best Deployment Practices
Common Application Design Considerations
Identity Design Considerations
IPsec VPN Design Considerations
Supporting-Technology Design Considerations
Designing Your Security System
Part III. Secure Network Designs
Edge Security Design
Campus Security Design
Teleworker Security Design
Part IV. Network Management, Case Studies, and Conclusions
Secure Network Management and Network Security Management
Case Studies
Conclusions
References
Appendix A. Glossary of Terms
Appendix B. Answers to Applied Knowledge Questions
Appendix C. Sample Security Policies
INFOSEC Acceptable Use Policy
Password Policy
Guidelines on Antivirus Process
Index