The defense in depth principle states that organizations should use multiple, overlapping security controls to achieve the same control objective. This is a layered approach to security and protects against the failure of any single security control. If one control fails, there is still another control designed to achieve the same objective standing in its place. Learn the importance of a layered approach to security and how to build a defense in depth strategy.
- [Instructor] Defense in Depth is one of the core principles of information security, and it certainly applies in the case of network security. The Defense in Depth principle states that organizations should use multiple, overlapping security controls to achieve the same control objective. This is a layered approach to security, and protects against the failure of any single security control. If one control fails, there is still another control designed to achieve the same security objective standing in its place.
When designing a secure network, you should definitely follow this Defense in Depth principle. Let's take a look at how we can apply the Defense in Depth layered security approach to three different network security control objectives. First, all network security professionals want to protect against eavesdropping attacks. Unauthorized individuals should never have access to confidential communications. How might we implement this? Encryption is always a strong first defense against eavesdropping attacks.
We can go a step further and implement multiple layers of encryption. For example, a VPN connection might secure our communications between two offices. But an organization may still choose to implement HTTPS application layer encryption on sensitive communications to provide further protection. Even if an attacker manages to penetrate the encrypted VPN tunnel, he or she still needs to contend with a TLS encryption added by HTTPS at the application layer.
We can also protect our network even further, by using VLANs to provide segmentation of communications. When we separate network users by role into different VLANs, we limit their ability to eavesdrop on the communications of other users from different roles. Let's turn to another network security objective, Access Control. You learned in this course how network Access Control can provide strong authentication to restrict networks to authorize users, and, through 802.1X technology, place users on role-appropriate VLANs.
That's one very strong layer of protection. We could, if we chose, also implement MAC address filtering and port security on our network to achieve Defense in Depth. Let's look at one final network security objective, protecting the network perimeter. The classic security control, the network perimeter, is a stateful inspection firewall that keeps out any traffic that isn't explicitly authorized by a firewall rule. That's a very strong layer of defense.
We can build a Defense in Depth approach by adding additional perimeter protections. For example, router Access Control Lists may filter traffic before it even reaches the firewall. Similarly, an intrusion prevention system might sit behind the firewall, filtering out potentially malicious traffic that manages to pass through the firewall before it reaches the internal network. Defense in Depth is a time tested security principle, and it certainly applies to network security.
As you prepare for the CISSP exam, remember to keep Defense in Depth in the front of your mind. You'll likely face exam questions that ask you to draw upon this principle.
Learn about communication and networking best practices, including TCP/IP networking, network security devices, and secure network design and management. Instructor and cybersecurity expert Mike Chapple also includes coverage of converged protocols, network encryption, and wireless networking. You can find Mike's companion study books for this series at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- IP addressing
- Switches and routers
- Content distribution networks
- Designing secure networks
- Specialized networking
- Managing secure networks
- Working with virtualized networks like SDNs
- Detecting and preventing network attaches
- Transport encryption
- Wireless networking
- Host security