Friday Sep 22
May
04/08
Layered Security: Solving the Cube
Updated on Monday, 21 July 2008 11:50
Share

We always talk about ‘layered security’ and ‘defense in depth’ as strategies for securing the network. And, usually, we’re talking about these as good strategies. However, with more and more security ‘stuff’ on the market, the layered security solutions are starting to lose some of their value.

Why? Well, the problem with layered security is that we tend to assume if Layer X isn’t providing a particular protection, Layer Y must be… and we all know what assuming does.

In the good ol’ days, we relied on firewalls- perhaps nested firewalls, or ones positioned strategically on the LAN as well as the WAN. Because of our network architecture at the time, that was the primary (and probably only required) protection. After years of de-perimeterization and the increase of threats from both remote-access and insiders, we have a much different landscape.

The addition of resources and availability in the network has lead to the addition of vulnerabilities and threats.

Now… our schools need to protect children from material online. Now… we need to stop Trojans from sneaking in with VoIP apps. We need to access our corporate network securely from Starbucks. Our corporations need to protect their network from users accessing or publishing illegal content on the Internet. We need to protect our email, make sure its virus-free and not allowing employees to send sensitive information to the outside world.

All these increased risks and threats lend to the need for more protection in the environment. There’s just no single silver bullet or cure-all for the problems we’re facing.

What does this mean? It means we’re adding security products to the network to address these issues. We need content filtering. We need layer-7 visibility on the WAN for inbound/outbound application control. We need data leakage prevention. We need email security. We SSL-VPNs for secure remote access… the list goes on.

So, what’s the problem? We’re living in a world of security buzzwords and ‘hot topic’ solutions. But the problem is 2-fold.

Problem 1- We forget to KISS IT. In the frenzy to understand and implement these hot new products, we’re losing sight of some basic security functions and overlooking some really important security fundamentals. Remember to KISS IT and keep your basic security solutions simple- then layer on top of that. Your hot new NAC or DLP solution won’t seem so impressive if your basic firewall rules haven’t been properly configured.

Problem 2- We forget thy layers. After you KISS IT, you need to start layering responsibly. That means having a CLEAR understanding of what each solution does- or does not– do. You wouldn’t believe how many customers call and want to hear about Widget A for a certain solution that Widget A is not designed to fix. I deal with it daily and I blame (for the most part) vendors for mis-advertising their product as a fix-all. Whether its hardware or software- know what each piece of your security solution is designed to do, what it’s actually doing, and keep that information documented. Documented– I’m going to say it again. Your firewall/UTM may offer content filtering and gateway AV, but are you using it? Are you using a WAN optimization product to stop prohibited applications, or is your web filter doing that? Do you even know?

rubiks2.jpgSolving the Cube. Layered security is like solving a Rubik’s Cube. You may think you’re on the right track after you get one side solved… but the other 5 are just a huge mess. There are patterns and algorithms you must follow to solve all sides together. Your layered security solution is no different. Understand what each piece is doing, how it fits in, and when to twist one layer here to implement a solution as part of a different layer over there.

# # #


3 Comments
  1. CommentsAndy Willingham   |  Sunday, 04 May 2008 at 6:24 am

    JJ, You make some good points. One thing that I would add is that many times a company looks at a solution that is not complimentary to what they currently have in place and they end up either off-setting each other and you end up w/ no security or the add so much complexity to the mix that they cause too many problems with usage and you end up turning them off or putting them in monitor mode and unless you have someone responding to alerts 24/7 you are out of luck.

  2. CommentsSam Van Ryder   |  Sunday, 04 May 2008 at 7:12 pm

    JJ, I’ve always had the perception that "defense in depth" and "layered security" meant a strategy to reduce risk and vulnerabilities – not assume one technology will pick up the slack when another doesn’t deliver. I think most of the conversations I’ve had with customers is the same. Then again, if a customer doesn’t have a strategy (read: policy) to begin with, I can see where that perception might come from. Both of those terms shouldn’t be technology specific – they’re policy guidelines.

  3. CommentsJJ   |  Sunday, 04 May 2008 at 7:30 pm

    Sam,
    I agree with that concept for ‘defense in depth’ which is generally a more wide reccomendation for a security strategy.

    What I’m hitting on here is customer perception of a layered security solution for networks, including things such as gateway firewalls/UTM, endpoint security, anti-virus, anti-spyware, host firewalls, etc.

    Because vendors are touting everything as ‘security’ soltuions and keeping the taglines vague to reach a broader audience, customers dont really know what they’re getting and half the time the solution isn’t configured as expected, or perhaps not even implemented at all.

    jj


Leave a Reply