Defense in Depth

It is typical when discussing network security to talk about defense in depth. This concept comes from military science. It refers to the many layers of defenses that an attacker must penetrate to gain an objective. In computer system security, defense in depth refers to the layers of security and detection systems that inhibit a hacker from gaining access to corporate systems and data.

In a well-designed system, intruders first need to penetrate network perimeter defense to gain access to the interior network. Then they must gain access to hosts on the network. Finally, they have to penetrate the storage subsystem defenses to gain access to or damage data.

Perimeter Defense

Perimeter defenses are designed to inhibit attacks from outside the network, primarily from the Internet. The goal is to keep an attacker from gaining access to the interior corporate network. Besides protecting the network from intruders, perimeter defense includes the ability to detect attacks, whether they are successful or not. This gives system security personnel the ability to track the attacker and protect interior systems from future harm.

Firewalls

The primary method of protecting the corporate or home network from intruders is the firewall. Firewalls are designed to examine traffic as it comes in and deny entry to those who do not have access rights to the system.

There are different types of firewall designs. Most combine several methodologies to protect the inner network from harm. The most common functions of firewalls are proxy services, packet filtering, and network address translation (NAT).

Packet filtering admits or denies traffic attempting to access the network based on predefined rules. A common version of packet filtering is port blocking, in which all traffic to a particular TCP/IP port is blocked to all external connections. Host-based firewalls, common in home and small-business situations, use this method to protect individual desktop computers.

Proxies place a device or server between all incoming and outgoing traffic. Rather than simply route traffic to and from the outside world, the proxy server appears to be the source or destination of the traffic itself. It is often used as a method of controlling user access to the Internet as well.

Network address translation services translate internal addresses into a range of external addresses. This allows the internal addressing scheme to be obscured to the outside world. It also makes it difficult for outside traffic to connect directly to an internal machine.

Firewalls can operate at the TCP or the application protocol level. Simple firewalls usually examine TCP headers only when making decisions about the traffic. Others might look at HTTP conversations to see whether the connections should be made. Some firewalls also incorporate antivirus and antispam filtering.

All firewalls provide a choke point through which an intruder must pass. Any or all traffic can then be examined, changed, or blocked depending on security policy.

Intrusion Detection Systems and Intrusion Response Systems

Another form of perimeter defense is Intrusion Detection Systems (IDS). An IDS does not regulate access to the network. Instead, it examines violations of security policy to determine whether an attack is in progress or has occurred. It then reports on the alleged attack. Some security software even claim to be Intrusion Response Systems (IRS). Intrusion Response Systems are devices or software that are capable of actively responding to a breach in security. They not only detect an intrusion but also act on it in a predetermined manner.

Host and Application Defense

Host security is usually accomplished by ensuring that a person or process that requests resources has rights to those resources. Verifying the identity of a host, group, person, or process to some degree of confidence is called authentication. Authentication allows for access control to be implemented to a particular level. Access control then limits access to resources according to rights granted by the system administrator, application, or policy.

The way access control is managed and which resources can be controlled depends on the operating system, file system, or application. One common problem with access control is that different mechanisms are used by applications, file systems, and the operating system. This makes system administration difficult and error prone.

Software exists to help manage access policies on a variety of operating systems and with a large number of applications, but none is all-inclusive. System administrators usually find themselves writing scripts to grant access control to various systems. This is especially true in smaller organizations, which cannot afford to purchase system management software.

Authentication and Access Control

Authentication is the ability to verify identity with some degree of confidence. It is based on something you are, have, or know. The reason that an airline passenger needs to present photo identification at the airport is to ensure that he is actually the person who has the reservation. This is not foolproof, of course. The ID may be forged. Even if it is not, it only identifies a person as being that person. It cannot determine whether that person means to do harm.

Computer authentication provides a method of ensuring that the person requesting access to a resource is entitled to it within some degree of confidence. Depending on the security needs of an organization, authentication may take many forms. Some of these are

• Username and password

• Smart cards and dongles

• Biometrics

The most common is the use of a username-and-password combination. It is easy to manage and understand. Although it is better then nothing, it is only as secure as the password. Passwords can be found out (often through user carelessness), guessed, or discovered through the use of programs containing dictionaries of common passwords. Most security professionals suggest that passwords be changed on a regular basis to reduce the risk that an attacker will guess or purloin the password. Unfortunately, this burdens users. Users can become clever about working around password rotation schemes, defeating the purpose of them.

Smart cards, dongles, and similar devices require that a physical entity be present to access a computer and attached resources. Although fairly strong, smart cards can be lost or stolen. In this case, resources are temporarily unavailable to the user. They also do not work for "users" that are really processes running on a server.

Biometrics is the use of biological markers to determine identity. It is very strong security because it is difficult (though not impossible) to fake biology. A range of technologies have been used over the years, depending on the type of access required. Biometrics has been deployed extensively in ensuring physical security, especially handprint readers and retina scanners. For individual computers, thumbprint readers have been popular. There are also several systems that rely on psychological traits, such as typing or handwriting patterns.

Two-Factor and Multifactor Authentication

Use of any authentication system enhances security of computer systems. Still, there are numerous ways to defeat any one of them. A password may be captured by an attacker or a smart card stolen and used. There are even ways to defeat certain biometric systems. Relying on any one method may not be secure enough for many organizations.

Two-factor or multifactor authentication combines more than one form of authentication to create a more secure environment. A password by itself may not be secure, but combined with a smart card, it is much more so.

It is always best to combine different types of authentication methods. In the example of the password and smart card, it combines something the user has (the card) with something she knows (the password). Of course, if the user tapes the password to the bottom of the smart card or card reader, the system is useless.

User versus Host Authentication

There are many levels at which authentication can occur. There are two types of authentication commonly used: user level and host level. User-level authentication verifies the identity of a person or process. Host-level authentication verifies a particular host computer.

They key issue with host authentication is that it forces access control to be implemented at a very high level. If an attacker is able to gain any level of access to a host, he is likely to be able to access all available resources. User authentication is stronger and allows access to be confined to individual people and processes.