Layered Security on A Network Device

I recently co-authored a whitepaper discussing the layered network security approach typically implemented with PCI Compliance. This got me thinking about layered security in general.

Data center security, network security, application security, physical security, and national security… One thing these entirely different security architectures have in common is the layered approach to securing critical assets.

Each approach has a first line of defense, an in-depth inspection of incoming traffic, the “trusted” core, and the transit traffic from one side to another. The perimeter will usually catch most “bad guys” and the core will typically be the most expensive to secure. Each architecture can be layered, secured, and segmented time after time after time.

Implementations, upgrades and maintenances typically occur one layer at a time. Each layer is abstracted and separately maintained and/or operated separately from the rest. Attackers are not just lock pickers or breaking through one line of defense. In many cases, they’re trying to get through layer after layer of security. The ultimate goal is the “crown jewels”.

Implementing network security devices is typically done in much the same manner as security layers. Let’s say you’ve purchased a shiny new next-generation firewall. It comes with several cool new features you want to use, but aren’t currently implementing. A typical layered installation would go something like the following:

  1. Install the stateful firewall.
    • Include NAT.
  2. Turn on IPSec VPN services
  3. Turn on Application Layer Gateway features
  4. Turn on packet inspection and intrusion detection
    • Use the “recommended” signatures
  5. Turn on threat management
    • Turn on and use the “recommended” virus signatures
    • Turn on and use the “recommended” spam signatures
    • Turn on and use the “recommended” malware signatures
  6. Turn on “application aware” features
    • Coordinate application rule-sets with existing stateful rule-sets

Typical installations usually include a “burn in” period for each feature. The burn in period usually includes log and flow gathering, rule-base altering/tweaking, and preparing for the next layer of security features.

And once the desired services are implemented, it seems like one of two inevitable things always happen: It’s time to optimize the configuration or it’s time to upgrade the implementation.

Leave a Reply

Responses to “Layered Security on A Network Device”

  1. Target, Michaels, and Neiman Marcus were all PCI compliant and still got compromised. This approach is changing rapidly. Zero trust, network segmentation. Assume the hacker can get in and isolate him from there. My 2 cents.

    • Very true! With the advanced persistent threats (APT) these days, even the core and mission critical layers aren’t “trusted”.

  2. You forgot to mention …watch everything grind to a halt because you turned on all the features simultaneously

    • LOL! So very true! That’s exactly why companies layer them on one at a time and let them burn in for a bit! 🙂