Skip to page contents

---

International (select)  Extranet |

---

---

Products    Training    Support    Downloads    Partners Contact | About us | Press & Media | Investor Relations

---

Press Releases | RSS Feeds | Events | Expert Insights | Newsroom | Brand Place | Contact Information | Use Terms |

---

• 2010
• 2009
• 2008
• 2007
• 2006
• March
• February
• January

---

---

Monthly column

Layer It Up

By Klaus Majewski

It's hard to imagine all of the possible threats to a network. It seems as though there are endless internal and external vulnerabilities that must be accounted for. It's become clear that the best possible solution to address these concerns is a layered defense approach. In fact, we only have to look as far as Hollywood for a good example.

The Tinsel Town Approach

Take the "Indiana Jones" movies, for instance. Throughout the trilogy, Jones has to clear several booby traps before he can reach the coveted golden monkey statue or the Holy Grail. All the traps are different, trying to stop Jones in various malicious ways. The defenders could use the same trap over and over to increase the depth of defense, but once Jones finds his way around that particular trap, it would be easy for him to defeat it again.

So, the defenders were smart and added more variety (layers) to their protection mechanisms. In other words, they combined width and depth of defense in order to protect their treasure.

It seems to be an effective combination, judging from the number of skeletons Jones passes on his way to the treasure. Of course, nothing can stop Jones -- traps just slow him down a little.

The same principles hold true for layered defense in modern network security. It is not enough to have only a strong perimeter defense, like a hard shell around the company. That leaves the inside of the company unprotected and soft. If the intruder penetrates the perimeter defense mechanism, there is nothing else protecting company assets. Once penetrated, the intruder could roam freely inside the company and look for the treasure.

It can be useful to have an alert of the intrusion or some way to slow down and catch the intruder. If an organization cannot catch the intruder, it should at least gather enough evidence of what he or she did and how he or she did it. This way, a company can modify and improve its defense to prevent future intrusions.

Layered defense can help reach these goals.

Adding layers to defense is easy if the same product can be used over and over again. For example, additional firewalls can be added inside the perimeter to protect sensitive networks like research and development or accounting. The combination of depth and width of defense is needed for good protection. So, several protection methods must be added onto each layer.

Examples:

• Perimeter layer - firewalls, content checks for attachments.
• Network layer - intrusion detection systems, Web proxies.
• Host layer - anti-virus programs, personal firewalls.

The Challenge of Managing Multiple Layers

Managing all of these different layers of defense and products in each layer can be problematic.

First, all products are typically point products that each have their own management interface. This means that administrators have to learn several different products and user interfaces. It is almost impossible to enforce consistent and coherent security policies across all products. The risk for human error increases when administrators have to switch between user interfaces and different configuration methods.

Second, these products are not designed to work together. In the event that there is a problem, the administrator must collect incompatible information from several different resources and try to manually form a big picture of the incident, taking much time and resources.

Third, many companies already face resource challenges in terms of coping with security administration. Now, managing multiple products from multiple vendors in each layer without adding any operational costs means that the already busy security administrators will have even heavier workloads. Unfortunately, they may not be able to cope with the excessive workload, so eventually some tasks may be dropped or missed. This endangers the entire security environment.

The defensive layers in the "Indiana Jones" movies are static and uncoordinated. Imagine how much more challenging it would be for Jones to steal the treasure if each defensive layer triggered an alarm and the rest of the traps were coordinated by someone. For example, the defenders could put more snakes in the area when they recognize Jones, knowing his terrible fear of snakes.

Unified Management to the Rescue

The complexity of managing layered defense can be alleviated. Every security device in each layer of defense should be managed with an integrated and unified management system.

The first aspect in unifying management systems is that the configuration of each device should be based on the same basic concept. This ensures that the data used in configuring security devices is consistent and coherent, which in turn reduces the likelihood of misconfiguration and human error. With unified management, an administrator can define objects once and use them in several different places rather than redefining them every time.

The second aspect is that security events (logs or alerts) generated by security devices should have a common structure so that the information can be centrally collected and processed. Reports that are based on the consolidated information give more refined information to administrators, speeding up their problem-solving and leaving more time for other tasks.

The third aspect of a unified management system is that it optimizes resources. Several studies show that the three-year total cost of ownership of a security solution consists mostly of administration costs. Most of an administrator's time is spent making changes to the existing environment and investigating possible security incidents. A unified management system allows administrators to centrally upgrade security patches to all security devices in different defense layers. Change management becomes easier and more accurate because configuration changes need to be done only once. They can then be applied to several different enforcement places.

Layered Defense, Deeper Security

Unified management reduces the number of false alarms because the alarm information can be correlated against information received from other enforcement points.

For example, firewall logs show some suspicious activity against Host A. The administrator can use unified management to check intrusion detection system logs and Host A system log entries from the same time period to see if the alert was real. The fact that all this information is in one place saves time and money. The administrator can then concentrate on incidents that are real and truly need attention.

Layered defense is a battle-proven way to increase the security of a company. Earlier, it was a privilege that only large companies could afford. Now, with unified management and optimization of resources, even small and medium-sized businesses can afford it.

Had there been unified management for the traps in the movie, even Indiana Jones could have been stopped.

About our author

Klaus Majewski is IPS product manager at Stonesoft Corp. During the past three years, he has worked with Common Criteria, FIPS and ICSA certifications for Stonesoft products, and has done penetration testing and security audits based on ISO Standard 17799. Majewski has CISSP and CISA certificates, as well as a master's degree in computer science from Helsinki University of Technology.

---