Consider this scenario. An attacker has penetrated your firewall. What is to stop him/her from compromising your entire network? This is the rationale for defense in depth. The point is to secure each device in the network, precluding an attacker from hopping from one device to another with utter abandon.
Let’s start with your network’s border device. It could be a firewall or a router. You can use access lists to block the following traffic inbound:
One or more DMZ’s can be used to create a “border within a border” for the network. Separate all the devices that exchange data directly with the outside world such as web servers, mail servers, etc., and install a firewall between them and your main network. This isolation will help protect the bulk of the network from attacks, viruses, Trojans..… the list goes on.
From the border device, traffic shoots between all sorts of devices within your network. Each type of device has different security capabilities and vulnerabilities. Above all, know your devices. A good example is the behavior of some switches.
By default, they negotiate a trunk port. Without further configuration, a trunk port passes data from any VLAN. (Remedy this by defining all the interfaces as trunk or non-trunk ports.)
An advantage of firewalls is that most traffic is blocked by default. This is great for security, though a little inconvenient for those of us who like to “ping” to check connectivity. Routers, switches, and servers, on the other hand, tend to require a large amount of configuration for security hardening. Take advantage of any automated security subroutines or scripts provided by the manufacturer. These disable unneeded services, restrict private and public addresses, and shut down unneeded interfaces. Canned routines can save a great deal of time, and at least provide a minimum level of security for you to build on.
There is special consideration for authentication servers, firewalls, and IPS/IDS devices. Most can be configured as either fail-open or fail-closed. Fail-open means that if the device fails, all traffic is permitted. In that case, credentials are no longer checked and traffic is not blocked. With fail-close, connectivity is broken. If your organization’s policy deems security more important, use fail-close. However, if service availability is more important, use fail-open.
Routers comes with many types of security capabilities including firewall software, and IPS/IDS modules, among others. The heart of all router security, however, is the powerful access list (ACL). ACLs let you tailor your security to your specific data and traffic needs, interface by interface, for Layer 3 and 4.
There are other settings that apply to a specific interface, not the entire device. Consider blocking the following:
Whenever possible, use VLANs. It’s the easy way to have different networks for management and data traffic. That is true also for servers. If fact, most servers require separate networks. Some switches offer private VLANs, limiting traffic between devices even more.
This protects against eavesdropping and other attacks. For high-security environments, you can even configure a port to accept only a specific MAC address connection. But think hard before employing static MAC assignment. It makes office moves, hardware upgrades, and BYOD a continual series of nightmares for the network administrator.
Spanning Tree Protocol (STP), in its various flavors, are critical to proper switch operation. And users attaching home routers and switches to the network can wreak havoc with STP. Make sure that your switch ports are configured with STP extensions such as root and BPDU guard. Check out the capabilities of your network’s switches.
Defense in depth secures each device in the network, not just the border. This approach provides strong and resilient security that can be adopted piecemeal as technology and business requirements change.
Sign-up for email updates...