display | more...

defense in depth: (DOD, NATO) The siting of mutually supporting defense positions designed to absorb and progressively weaken attack, prevent initial observations of the whole position by the enemy, and to allow the commander to maneuver his reserve.
--- from the DOD Dictionary of Military Terms


Defense in depth design principles

Defense in depth is a fundamental design principle for security and defensive systems. It is a key strategy when planning the overall defensive design of a castle, computer network, city, force positioning, or computer system. In some ways, it is the application of design margin to security. By making security not have a single point of failure, weaknesses in design, implementations, algorithms, or protocols are not fatal by themselves.

There are a number of aspects to defense in depth:

  • Layering for redundancy: Defenses should be composed from multiple independent layers. If any one layer should fail, the other layers remain to protect the critical assets. It is important the redundancy of layers is real and that there aren't some attack tree paths that are substantially weaker than others. The overall security of the system is only as strong as its weakest link, so it's important that layers are composed on all paths.
  • Visibility into failures: It is important to have visibility into the integrity of every layer. It should ideally not be possible for any one layer to be compromised or otherwise fail without this being detected. This gives the defender early detection of attacks, along with the corresponding ability to respond, reposition defenses, or counter-attack. It also allows the defender to estimate the degree of compromise, providing the ability for measured response.
  • Limit externally-visible exposure: By layering defenses, attackers may only have information about the layers that are exposed to them, either initially or through the compromise of outer layers. This severely limits their ability to plan ahead, making their attack both slower and more likely to be noticed. It's worth taking this as an added benefit, however, for there's a serious risk in relying on security through obscurity and underestimating the amount of information available to an attacker. To avoid detection, an attacker must therefore be perfect while simultaneously being ignorant of what is ahead.
  • Containment of failures: By compartmentalizing defenses, compromises can be limited to portions of a system. Incident response can then be a measured response that targets the compromised areas rather than having to treat everything as potentially compromised (although it is worth erring on the side of assuming that things have been compromised unless you know for certain that they haven't been).

The principle of defense in depth makes sense to apply to both a full system and to individual subsystems. In this way, it can be composed fractally where layered defenses are apparent at all scales.

In constructing defensive layers, different types of layers may be used to serve different purposes. With many of these layers, degree of defense does not simply compose arithmetically or geometrically. Some different purposes for layers include:

  • Primary defense: These layers comprise the key to the defense of any subsystem and when taken together defend against all attacks against the subsystem. Every subsystem must have one or more of these layers. In many cases, this layer is simply vigilance in design and implementation.
  • Attack/intrusion detection: These layers are often transparent or invisible to attackers, but provide defenders with information about attackers, the nature of attacks, and their degree of success at compromise.
  • Focused defense: These layers, designed to be used in conjunction with more general-purpose defenses, defend against particular attacks. These can be used to strengthen the weaker parts of primary defenses and to add additional protection against common attacks.
  • Raising the bar: These layers do not necessarily stand alone or provide any real protection but instead make attacks harder and decrease the number of potential attackers who have the skills and resources to mount a successful attack. Security through obscurity may not be effective as a primary defense, but it can help raise the bar.

 

Examples in physical defensive strategies

Defense in depth has been employed for thousands of years in the design of fortifications. Castles are one of the better demonstrations of the effectiveness of this design principle. Medieval castles had multiple layers of defense, going from the hill or position in which they were built, to far outer walls, to a moat, to the primary outer walls (bailey), to inner walls, to an inner keep/tower, to defenses within the tower. The outermost defenses would slow down attackers and reduce the element of surprise while the defenders could fall back to inner positions as outer layers were compromised.

 

Examples in networks and computer systems

When applied to computer networks, systems, and individual hosts, defense in depth involves placing redundant protections at many levels. On the perimeter, a corporate network may have a firewall and an IDS (intrusion detection system). Internally, the network may be compartmentalized such that servers and user machines for different organizations are firewalled from each other. Critical assets (such as authentication servers) may even have additional protections in front of them.

In addition to layered perimeter defenses, individual machines and communication channels should have their own protections.

Machines should be protected themselves (for example, only running services that need to be running, have security patches applied promptly, etc.) Machines should avoid transitive trust and principle of least privilege should be obeyed. Machines should have host-based intrusion detection systems (such as virus checkers).

Even if network layer channels between machines are encrypted through something like IPsec, end-to-end security (encryption, authentication, and authorization) should still be performed at or close to the application layer.

Software components running on machines can also be designed for defense in depth. In addition to paranoid design and implementation (for example, in avoiding buffer overruns), components should validate their inputs and not implicitly trust even other components running on the same machine. When possible, components should only have the capabilities that they need and should be running in restricted environments.

A common mistake of Information Systems executives is assuming that a firewall will solve all of their company's network security problems. However, firewalls should only be a component to a coherent defensive strategy. By themselves, they are only an outer wall that provides protection to attackers from the outside. Not only do the reported majority of corporate computer security incidents come from the inside *, but firewalls are insufficient by themselves at protecting companies from attacks from the outside. A great example of the dangers in relying on firewalls was provided by the Code Red Worm which infected employee laptops at home and was then carried inside of corporate firewalls where it proceeded to infect internal systems.

As the infantry charged across the plain, a small flag began waving from atop the cliff to their left. "Shit" exclaimed the exec, pointing it out to the captain. "They know we're coming."

With that, the rumble of heavy artillery began from the far side of the hill across the plain. "Not to worry," began the captain. "Arced shot isn't going to be painful. When we get closer, if they skip shot, then we'll have to worry." Even as the first balls began falling around them, a sergeant in the third platoon called out, "Skirmishers on the right!"

A squad of light cavalry, armed with pistols came on an oblique approach, snapping shots at long distance. "Third platoon! Wheel and engage! First and second platoons! Charge!" Even as the third platoon snapped their rifles to firing position, the voices of the first two platoons rose in a ululating war cry.

Grape shot came whizzing out of the fixed emplacements at the top of the hill, dismembering soldiers as the laboriously charged uphill. Then the advancing units reached the earthworks, and began clambering up into the teeth of enemy gunfire. As they reached the brush and spikes at the crest, they began shoving through, their numbers much reduced. Here, it was bloody work - with no time to reload, both sides began stabbing with the bayonets fixed to their rifles.

The coronets of the defenders rose, and a fresh squad of defenders rushed forward into the breech, repulsing the attack.


An example of physical defense in depth
Forward Observers
Provides the ability to see the enemy's formation prior to the engagement
Long range artillery
Forces the enemy to keep moving - as soon as they become stationary, the artillery can range on them. As it is, the benefits of suppressive fire against morale is high.
Skirmishers
In this instance, skirmishers forced the advancing unit to divide, thus weakening the attack against the main fortification.
Enfilading fire
At close range, grape shot into attacking infantry is ... lethal.
Elevation
Being on the uphill side of a charge is always advantageous.
Rifles
Having units firing upon the chargers - even as they ran uphill.
Earthworks
Effectively, walls to shield the defenders against incoming fire, and forcing the attackers over yet another hurdle.
Bayonets
Preparing infantry for a shift from long range to close quarters combat.
Reserve
A strategic force prepared to reinforce the defense.

Log in or register to write something here or to contact authors.