The defense in depth principle states that organizations should use multiple, overlapping security controls to achieve the same control objective. This is a layered approach to security and protects against the failure of any single security control. If one control fails, there is still another control designed to achieve the same objective standing in its place. In this video, you can learn the importance of a layered approach to security and how to build a defense in depth strategy.
- [Instructor] Defense in Depth is one of the core principles of information security and it certainly applies in the case of network security. The Defense in Depth principle states that organizations should use multiple, overlapping security controls to achieve the same control objective. This is a layered approach to security and protects against the failure of any single security control. If one control fails, there is still another control designed to achieve the same security objective standing in its place.
When designing a secure network, you should definitely follow this Defense in Depth principle. Let's take a look at how we can apply the Defense in Depth layered security approach to three different network security control objectives. First, all network security professionals want to protect against eavesdropping attacks. Unauthorized individuals should never have access to confidential communications. How might we implement this? Encryption is always a strong first defense against eavesdropping attacks.
We can go a step further and implement multiple layers of encryption. For example, a VPN connection might secure communications between two offices, but an organization may still choose to implement HTTPS application layer encryption on sensitive communications to provide further protection. Even if an attacker manages to penetrate the encrypted VPN tunnel, he or she still needs to contend with the TLS encryption added by HTTPS at the application layer.
We can also protect our network even further by using VLANs to provide segmentation of communications. When we separate network users by role into different VLANs, we limit their ability to eavesdrop on the communications of other users from different roles. Let's turn to another network security objective, access control. You learned in this course how network access control can provide strong authentication to restrict networks to authorized users and through 802.1X technology place users on role-appropriate VLANs.
That's one very strong layer of protection. We could, if we chose, also implement MAC address filtering and port security on our network to achieve Defense in Depth. Let's look at one final network security objective, protecting the network perimeter. The classic security control of the network perimeter is a stateful inspection firewall that keeps out any traffic that isn't explicitly authorized by a firewall rule. That's a very strong layer of defense.
We can build a Defense in Depth approach by adding additional perimeter protections. For example, router access control lists may filter traffic before it even reaches the firewall. Similarly, an intrusion prevention system might sit behind the firewall, filtering out potentially malicious traffic that manages to pass through the firewall before it reaches the internal network. Defense in Depth is a time-tested security principle and it certainly applies to network security.
As you prepare for the CISSP Exam, remember to keep Defense in Depth in the front of your mind. You'll likely face exam questions that ask you to draw upon this principle.
We are a CompTIA Content Publishing Partner. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.
- Defense in depth
- Separation of duties and responsibilities
- Designing secure networks
- VLANs and network segmentation
- Goals of cryptography
- Choosing encryption algorithms
- Integrating security in the software development lifecycle
- Software assessment and testing
- Code reviews and code tests