Defense in Depth PDF

Download as pdf or txt
Download as pdf or txt
You are on page 1of 9

Six Strategies

for Defense-in-Depth
Securing the Network from the Inside Out

J o e l S n y d e r

INTRODUCTION

The idea of perimeter defense when referring to a corporate network ignores com-
mon knowledge: that most successful and signicant security breaches dont come
from the outside. Serious issues often originate inside the network: everything from
worms, viruses, and Trojan horses to unsecured wireless networks, peer-to-peer mobile
communications and guest users can compromise the security of corporate networks.

To address these threats, the corporate network should no longer be a single homo-
geneous zone in which users connect from anywhere in the network and receive
the same levels of access. Instead, the network requires internal perimeterization and
defenses. Regulatory requirements also demand stringent controls on data ow within
the corporate network. Logging and auditing requirements put pressure at one end
of the spectrum, while rules regarding disclosure and information sharing are pushing
against the other side.

In addition, the notion of a perimeter in a corporate network is fast disappearing.


While site-to-site and remote access VPNs are extending the perimeter, employees
themselves are eroding the perimeter and making it weakeroften without being
aware of the impact they are having on network security.

For example, a mobile employee who connects a laptop to the Internet from a mobile
hotspot and is exposed to a worms or viruses can infect the corporate network when
the employee returns to the ofce.The rewall that stopped the worm at the perime-
ter is unable to stop this internal attack because it came from a trusted source. Simi-
larly, an unsecured wireless access point (AP) in the corporate network can singularly
jeopardize the security provided by the perimeter rewall.
Finally, mobility itself brings chaos to any network managers Strategy 1: Authenticate and authorize all network users
attempt to segregate and segment trafc. Contractors and visitors Strategy 2: Deploy VLANs for trafc separation and coarse-
require access to the Internet, while employees themselves move grained security
about within the campus connecting at different locations. Seg- Strategy 3: Use stateful rewall technology at the port level for
menting trafc based on source IP address is simply not enough ne-grained security
in this environment, as a malicious client can easily assume
Strategy 4: Place encryption throughout the network to ensure
another identity by changing its own IP address.
privacy
The response to address the new security environment of corpo- Strategy 5: Detect threats to the integrity of the network and
rate networks is often referred to as defense-in-depth. The idea remediate them
is to add protection at multiple layers rather than relying only on Strategy 6: Include end-point security in policy-based enforce-
a perimeter rewall. Networks can no longer be partitioned into ment
inside and outside.

Defense-in-depth requires that relationships between network re-


sources and network users be a controlled, scaleable and granular Problem Challenges Solution
We dont know who Maintaining Authenticate users
system of permissions and access controls that goes beyond simply authentication (and perhaps devices)
is on our network
dropping rewalls between network segments. The defense- databases for all types within the network,
in-depth banner has been handy for all sorts of other security of users and systems; leveraging tools like
products, from IDS to virus scanners---certainly useful additions equipment that doesnt 802.1X, RADIUS
support authentication and LDAP to provide
to a corporate network security plan. But few security architects protocols both authentication
have taken the idea of defense-in-depth to its logical conclusion: and authorization
turn the network inside out. information

MAKING A NETWORK SECURE: DEFENSE-IN-DEPTH STRATEGY 1:


Authenticate and authorize all network users
Defense-in-depth is a dramatic departure from the transparent
data corridor of the LAN. By pushing security into the network The starting point for any deployment of defense-in-depth
itself, the LAN changes from a public-access highway to a high- is authentication. Authentication should be handled at the
security network of roads, serving gated communities. Adding earliest point of connection of the system to the network: at
security into the LAN requires considering and implementing the port level, even before the client is assigned a network
three key attributes of secure networking: address.

Associated with every positive authentication must also be


Access control - knowing who is on the network
authorization: now that we know who this person is, what
(authentication), what resources they
does it really mean? What can they do? Where can they go?
are authorized to use, and applying
Unless every user in the authentication database has the same
these access controls to their trafc
privileges and accesses, authentication must be tightly linked
Integrity - guaranteeing that the network itself is to authorization. The combination of positive authentication
available as a business critical resource and and user-based authorization information should form the
that threats can be identied and mitigated. basis for policy enforcement.
Privacy - ensuring that trafc on the network is not
accessible to unauthorized users.
Challenges in Authentication
Defense-in-depth is not a product, like a perimeter rewall. There are two key challenges in implementing network user au-
Instead, it is a security architecture that calls for the network to thentication: the lack of a centralized authentication database, and
be aware and self-protective. In studying the problem of adding the inability of some legacy systems to support modern protocols.
defense-in-depth, weve identied six key strategies that security
architects can use to change signicantly the security posture of The clear choice for network authentication is IEEE 802.1X,
enterprise wired and wireless LANs (WLANs): the IEEE standard for network authentication. As an open

2
Figure Because 802.1X supplicant software is built into recent
New approaches to security require authentication for all users prior to
versions of both Windows and Macintosh operating sys-
being granted network access. Centralized policy management drives
this new security architecture. Sophisticated new systems that central- tems, testing supplicants (clients) is rarely a difcult process.
ize security can now enforce user access based on location, device However, other platforms, such as PDAs and particularly
type and a myriad of other parameters. embedded wireless devices (such as wireless print servers),
may present a challenge.

Once there is experience with wireless deployments, it is


time to move to wired device authentication. Although a full
roll-out will probably require some replacement of equip-
ment, it is likely that there is 802.1X-compatible hardware
somewhere in the enterprise that can be used to begin wired
testing and start deployment.

Defense-in-depth is successful only if authorization is imple-


mented successfully following positive authentication. It is
critical that a users privileges on the network vary based not
just based on their identity but also based on other intelli-
gence about the user such as:

(1) machine identity


(2) security level of the machine
(3) location of the user
(4) time of day and
standard with support for multiple authentication protocols, (5) authentication method
802.1X is exible enough to support everything from digital
certicates to username/password authentication, and plat- For example a user accessing email from a personal computer
forms from low-end PDA devices and mobile phones up to at home on the weekend may be given access to email only
desktop and server operating systems. if the home PC is running appropriate version of the corpo-
rate-approved rewall. In the event of non-compliance the
802.1X has become a strong force and has already seen user may be directed to a download site to download such
widespread adoption across network equipment manufactur- software. An interesting use of location-based authorization is
ers and operating system vendors enabled by intelligent WLAN systems that can pinpoint the
location of the user. In such a scheme, a use can be prevented
from accessing sensitive applications when sitting in the
Strategies for Deploying Authentication in Networks corporate cafeteria.
The obvious place to start deploying network-based au-
thentication using 802.1X is in the wireless network. As a Overall, effective network security begins with authentica-
replacement for simple WEP authentication, 802.1X can be tion at the earliest possible stage and with intelligent autho-
used by itself or in conjunction with WPA or 802.11i secu- rization. This combination of authentication and authoriza-
rity. Since wireless is becoming an obligatory technology for tion should form the basis of security policy in corporate
most buildings, adding 802.1X both resolves the demand for networks today.
wireless and offers the opportunity to get acquainted with
the technology and the protocol.

B O T T O M B A R
Virtual LANs extend the Ethernet standard by letting two different networks share the same wire. To keep the trafc separated,
each frame from each network is tagged with a VLAN number. At either end of a physical link, devices such as switches or rout-
ers know how to interpret the VLAN tags and break the trafc apart. End systems only see the trafc from the LAN they belong.
In effect, what used to require two sets of equipment and two physical wires can now be done with a single set of VLAN-capable
switches and routers.

3
Problem Challenges Solution There are multiple ways to assign devices to VLANs dynamically,
Need to separate VLANs can be used Use dynamic including:
network-connected for security isolation, assignment to VLANs
entities into different but there are dangers for devices and users based on 802.1X authentication information
security and service in packet leakage and as a way to provide
based on Web-based authentication information
proles without misconguration; coarse-grained
rewiring and switches now become control of security at according to an SSID selected by the user in a wireless
reengineering the rewalls. VLANs the building level network
network as generic security
barriers do not scale based on detection of some other attribute, such as the
to large networks, MAC address of the device or the location of the user
especially multi-site
ones
Bringing dynamic assignment into the network requires a
mechanism for providing authorization information at authen-
tication time. In certain environments this can be maintained
STRATEGY 2
manually or using an out-of-band mechanism such as a user
Use VLANs for trafc separation and
list. In the case of SSID selection in a wireless network, the user
coarse-grained security
is asking for permission to connect to a particular network and
VLANs are, by their nature, unrouted chunks of network then authenticates (or proves knowledge of the SSID or WEP
trafc. In most modern building networks, a fair amount key, depending on how secure of an environment is needed) to
of layer 3 IP routing takes place between wiring closets and nalize access.
the computer rooms. In a campus environment, routing is
even more common. This makes pushing large numbers of With 802.1X authentication, there is no way for a user to
VLANs around the infrastructure a fairly difcult-to-manage request a particular VLAN, which means that users must have
process. VLAN information stored in the 802.1X authentication (RA-
DIUS) server. Fortunately, an IETF-standardized mechanism
Although most networks are heavily over-engineered with exists to let a single RADIUS server send this information down
Gigabit (or 10 Gigabit) trunks, carrying a large number of to different devices. WLAN assignment may also be modied
VLANs around the network to represent different security based on other information, such as the location of the user or
proles can stress not only the infrastructure, but also the the results of an end-point client security scan. The rst step,
management of the network itself. This difculty is com- then, should be to use VLANs and 802.1X/RADIUS authenti-
pounded as WLANs are added to the network. To maintain cation for assignment as this is most likely to be supported across
simplicity, enable inter-SSID mobility and preserve the multiple devices.
current IP addressing scheme, it is essential that the WLAN
architecture of choice have the ability to enable multiple
VLANs across a single SSID. This is typically true of new Problem Challenges Solution
Enforcing ne- Policy management Build stateful
generation of centralized WLAN solutions. grained security is difcult. security policies
policy within the Firewalling has based on group
network based on become inexpensive, information,
Strategies for Security VLANs who a user is but still represents applying policy at
a considerable the port level
The key to successful use of security VLANs is dynamic assign- premium over
ment. While some ports in the network can be hard wired to a simple switching
particular VLAN (for example, in the server room or in the re-
ception area of the company), assigning trafc to a VLAN should
be done dynamically based on the authentication provided by STRATEGY 3
the user (see Strategy 1, authenticate and authorize network Use rewall technology for ne-grained security
users). Dynamic assignment is a critical requirement in building
While using VLANs is sufcient for a coarse classication
manageable networks. Static denition of security tends to cause
of some network users, the real solution to securing such a
long-term maintenance problems and impedes mobility of end
valuable resource is a ne-grained, user-based set of security
users. By tying security to authentication information retrieved
policies enforced by the network.
at the point of network access, secure networks can support
quickly changing and moving user populations with minimum
Many enterprise network managers have reached the same
stafng costs.
conclusion and have begun embedding perimeter-style rewalls
throughout the network interior in an attempt to apply security
policy at points other than at the Internet access gateway. There

4
are two major problems with using interior rewalls to enforce is going to have an uphill battle selling something ten times the
policy. First, packets do not come with authentication informa- price just to add security.
tion stapled to them. This means that when a rewall deep in the
network has to make an access control decision, either it has to Overcoming the management issue is more signicant, because
depend on highly unreliable information (the IP address that the no amount of budget exibility can solve an unmanageable
packet is coming from) or it has to put up a new roadblock and problem.The key to breaking through the problem of manag-
insist on user authentication to that rewall. While a variety of ing per-user network security policies is to move to a role-based
proprietary approaches to this issue have been offered, typically management model. Although everyone is different, people are
based on some VPN-like authentication and encryption scheme, not really that different---and it is simpler to dene access con-
all are attempting to solve the problem the long way around. trols and security policy based on roles that the user has within
the organization than try and answer the question what should
The second problem with using interior rewalls is that there this specic person have access to?
are never enough of them. Systems connect to the network at
the edge, not at the core, and the trafc from those systems needs Starting with role-based management, users are assigned to
to be controlled at the point of entry to the network. Catching groups that represent the roles that they play. A key requirement
it hops down the line is too late: the control needs to be tightly is the ability to assign a user to multiple groups. Because users
bound to the point of entry. All of this points to a simple do have multiple roles, they must be able to take on those roles
sounding strategy: rewall at the port level. simultaneously.

Until recently, rewalling at the port level was impractical at Strategies for Applying Fine-Grained Access Controls
best. Now that we have technologies such as 802.1X authentica-
Any application of security policy has to start with denition
tion (dont forget Strategy 1, authenticate and authorize users)
of the policy. Although technology solves many problems, the
and rewall systems with very high port densities, enforcement
difculty of dening policy has never changed and must be
of stateful security policy at the port level is a reasonable and
tackled rst. If a security policy for inside the network cannot be
economical goal.
dened and agreed upon, theres no point in going any further.
Challenges to Enforcement of Fine-Grained
Security policy should be role- and resource-based, dening who
Access Controls
has access to what resource, how the resource is accessed (Read?
There are two main challenges to enforcing ne-grained access Write? Put? Get?) and any other modiers, such as time of day
controls. The rst is management: how to dene and create or user location.
the stateful security policies and then how to bind those to an
authenticating user. The second is economics. If a high-end One winning approach to pushing out security policy enforce-
managed LAN switch costs $50/port, the rewall vendor accus- ment to the port level is to start with the wireless network
tomed to getting $500 to $1000/port for appliance-style rewalls because wireless security is predicated on user-identity, given
that users are no longer associated with physical ports, intelligent
wireless network products integrate policy-enforcement directly
Figure into the system.
Enterprises should consider ways to virtualize security
services for all users and all ports without having to
deploy security appliances in every wiring closet.
Problem Challenges Solution
The network must The best privacy Build encryption
protect the data would be encryption into the network
at the application where possible and
layer. Applications where risk is high
dont generally do
that.

STRATEGY 4
Place encryption throughout network to ensure privacy
Privacy of data throughout the enterprise is becoming a signi-
cant issue. Because the network itself carries very sensitive data,
there is a strong need to protect that data from accidental or in-

5
tentional disclosure. The obvious case is in WLANs: no network Strategies for Adding Privacy to Networks
manager would consider deploying a wireless network solution
For wireless networks, adding privacy to networks is easy. The
that does not enforce strong encryption.
IEEE has published IEEE 802.11i, a specication of wireless se-
curity that describes exactly how to provide privacy and integrity
In the wired environment, encryption can also be appropriate.
on a WLAN using state-of-the-art encryption algorithms and
The wake-up call for most network managers has come in the
state-of-the-art authentication based on 802.1X (See Strategy
form of regulatory requirements. For any health care provider
1). Any network manager considering privacy and encryption
touched by the Health Insurance Portability and Accountability
within the network should be looking at 802.11i for standardized
Act (HIPAA) requirements, wide-spread encryption of data even
and widely interoperable solutions for wireless.
when inside of the corporate network may be required by law.
Regulations such as Californias SB1386 (on publication of in-
Alternatives for wireline encryption include proprietary link-
formation when private information is exposed) are also pushing
encryption systems that offer security at the data link layer, but
companies to encrypt more data to reduce the risk of disclosure
no higher. Higher-layer encryption that can traverse data links
of protected information.
but stops short of the end systems is also an option. For example,
cooperating network equipment at the network jack and the
As every student of network security knows, encryption to assist
data center could encrypt data across multiple links and switch-
in privacy can be done at any layer, from the physical link all the
ing/routing points.The table below provides some guidance
way to the application. There are tradeoffs with each alterna-
on best practices in incorporating encryption and message
tive, generally revolving around coverage and generality. Encrypt
authentication into data networks.
lower for a general-purpose solution that covers all applications.
Encrypt higher and protect the data end-to-end, eliminating any
Table
potential for exposure. The lower in the stack the encryption,
the more trafc that can be encrypted and the lower the likeli- ENVIRONMENT COMMON SOLUTIONS
hood of network eavesdropping. All wireless 802.11i combined with 802.1X
using either TKIP or AES
However, encrypting low in the stack means that the data encryption
are in the clear as they move from the application to the rst Server-to-server wired IPsec in transport or tunnel
encrypted link. In that sense, the likelihood of exposure grows mode between servers or server
larger, especially at network control points handling unencrypted farm subnets
trafc. From a host security point of view, the ominous presence Client-to-server wired Ideally application layer
of malware also poses a risk to having unencrypted data ow- encryption. Common alternative
ing through the guts of an end-system. The alternative, then, is is typically link layer encryptin
application-layer encryption. However, this approach means that between wiring closet and data
each application server and client must be modied to support center. New alternative is IPsec
encrypted data---a huge task. encryption from each network
jack to data center
Challenges when Adding Privacy to Networks Client-to-server remote access VPN protocol such as IPsec or
SSL corporate VPN gateway
When approaching privacy from a defense-in-depth point-
of-view, the natural inclination is to build encryption into the
network itself. While IEEE 802.11i is helpful when discussing Wireless networks of all kinds require strong encryption at
privacy in WLANs, for the wireline side of the network, the al- the link layer. Although link-layer encryption is desirable
ternatives are less clear-cut. Unfortunately, 802.11i doesnt apply in the enterprise network, for all but the most sensitive of
in a wired environment. Network managers are left in a standards applications it is unlikely to be a requirement. As a stop-
void, then, with no obvious analog to 802.11i for the wired gap, application-layer encryption adds tremendous privacy,
LAN. Additional alternatives for wireline encryption are propri- while proprietary link-layer wired LAN solutions extend the
etary link-encryption systems that offer security at the data link security perimeter at reasonable cost and without disrupting
layer, but no higher. Higher-layer encryption that can traverse existing systems or applications.
data links but stops short of the end systems is also an option.
For example, cooperating network equipment at the network
jack and the data center could encrypt data across multiple links
and switching/routing points.

6
Threat management tools also extend into more analytical areas,
Problem Challenges Solution
such as vulnerability analyzers and security information manage-
Identifying and Balancing threat Analyze requirements
remediating threats to identication with for intrusion detection ment (SIM) tools that collect data from multiple network and
network integrity in a resource cost and remediation and security devices and attempt to identify threats by correlating log
cost-effective way nd a solution which information.
ts the networks real
requirements

Challenges in Ensuring Network Integrity

STRATEGY 5 The greatest challenge in managing network threats is dening


Detect threats to the integrity of the network the appropriate risk/reward balances. Weve already discussed,
and remediate them briey, the difculty of determining ROI of security products in
general. With threat management and network integrity assur-
The challenge for implementing internal IPS/AV schemes is ance, the ROI calculation is as hard as it gets. Obviously, you are
that boxes have to be located in every closet and even then they hoping to protect against total network failure, but adding integ-
cannot prevent a PC from potentially affecting its peer on the rity checking tools to the network doesnt give a good metric of
same network. A better way to address this problem is to encrypt how much less frequently the network is unavailable or degraded
trafc from each network jack and bring it into back to a central for security reasons---or whether the tool will necessarily catch
location where all the policies are applied.This method is non- the problems that beset the network.
disruptive to addressing schemes and is far better than distribut-
ing multiple rewalls and IPS/AV systems in each wiring closet. A commonly encountered challenge with deployment of
network integrity products, such as intrusion detection systems,
If there is a trinity of security concerns in access control, privacy, is the highly distributed nature of most networks. In a highly-
and integrity , the third of these gets the least interest. The main switched network, monitoring the integrity of the network
reason for this is simple: detecting threats to the network can be becomes a very difcult task. If you cant see the trafc, you
very difcult.While some threats to network and data integrity cant detect threats and anomalous behavior.
are easy to identify and remediate, others can be extremely hard
to detect---and even more difcult to protect against.While When looking for areas to deploy network integrity tools, you
many companies focus on towards the rewall threat manage- may be stymied with another metric of difculty: measuring risk
ment, the threats can come from anywhere: worms and viruses, itself. Successful integration of these tools requires understand-
wireless, guests, and careless or malicious insiders. It is worth ing what the threats are you care about and what you need to
while to identify as many of these threats as possible and either do to detect them.While risk itself is generally unmeasurable, the
notify or attempt remediation. threats to your network are not difcult to enumerate. Simply
listing the threats, the consequences, and your remediation strat-
The security communitys rst attempt at threat identication egy will go a long way towards identifying the right strategy for
came in the form of IDS, intrusion detection systems. While ensuring network integrity.
IDS have proven their worth as a tool in the arsenal of the secu-
rity analyst, most enterprises have discovered that the informa-
tion they get from their IDS is not primarily useful in detection Strategies for Ensuring Network Integrity
and remediation of immediate threats. An IDS is like a protocol
analyzer: its a tool for the security analyst to use in diagnos- The most successful strategies will identify the areas of greatest
ing and identifying problems, more than a rst-line-of-defense risk and concentrate on those rst. Thats half of the best path
against network integrity threats. forward.The other half is to examine the technologies that have
the lowest cost, both in terms of capital and continuing opera-
To support the continuing need for threat detection and tions and support.
management, security vendors have ooded the market with
products ranging from in-line intrusion prevention systems (IPS) A good example of the former is Trojan horses, viruses, and mal-
based on the same core technology as IDS, to application-layer ware. These threats have the ability to degrade not only network
rewalls and highly specic tools designed to catch a particular and system performance, but they can also expose and disclose
type of threat, such as a network worm. Even more mundane sensitive information or cause a complete denial of service.
areas such as anti-virus scanners have moved into network-based More importantly, its very easy to become infected with vari-
devices, hoping to catch viruses on the y in the network, no ous kinds of malware. The risk of infection is high, and the risk
matter what protocol they use to propagate. to the network is high in the case of an infection. This is why
enterprise system managers universally have virus identication

7
and mitigation strategies already in place. Those who have not access to users who may have a wide variety of untrusted com-
added malware/spyware to their anti-virus tools will be doing so puting platforms. However, this same thinking is beginning to
shortly---the risk is too great to ignore. move into the enterprise network.

While high-risk is easy to identify, low-cost is also a good way The idea is simple: detect the security posture of the end system,
to nd tools for your network integrity and protection arsenal. and use that information to control access. Actually implement-
For example, most rewalls have some limited IPS capabilities ing end-point security policy enforcement is another matter
built-in, such as denial of service (DoS) protection. Although entirely.
these devices need a small amount of tuning, they can increase
the level of network integrity without capital expense and with
very low operational cost. Challenges in Enforcing End-Point Security Policies
There are two signicant challenges to deployment of policy
Although highly distributed networks are common deploy-
enforcement based on end-point security posture. The primary
ment architectures, you may want to consider a more centralized
difculty comes from the wide variety of systems being used on
strategy when it comes to monitoring network integrity and
corporate networks. Attempting to load and execute a security
identifying threats. For example, pulling trafc back to a central
posture assessment tool on every system that connects to the
data center and a small number of switching and routing points
network is an exercise fraught with danger and guaranteed only
offers the opportunity to both monitor the network inexpen-
mixed success.
sively and, where appropriate, install choke point technologies
such as intrusion prevention systems.
The second challenge is one of granularity. For example, if the
end-point security assessment discovers that a personal rewall
is loaded, but the rewall policy is out-dated, is the system in
Problem Challenges Solution compliance or not? At the same time, security posture may mean
Even though a user Security posture is, At entry points and different things depending on who the user is and what resources
on the network at best, a coarse- policy management they are using. Thus, the compliance status may be difcult to
has been positively grained barometer points, incorporate
identied, they may end-point security determine without considering other factors. Building and,
be on a compromised determination; when more importantly, maintaining the business logic to deal with
platform and pose an dening policy, different platforms and security postures will only get more
unintentional threat include end-point complex, not less so.
to the network security as a factor

Strategies for Enforcing End-Point Security Policies


STRATEGY 6
Include End-Point Security in Policy Enforcement Best practice solution strategies depend on a combination of
forward thinking stateful security policy denitions and exible
User systems may range from tightly controlled laptops owned
remediation systems.
and managed by corporate IT to spyware-infected, keystroke-
logging,Trojan-hosting systems at public Internet kiosks. A user
To use end-point security information within stateful security
who successfully identies to the network should be given differ-
policies, the denition of every policy entry has to include the
ent privileges depending on the system they are using for access.
end-point security compliance level. A best practice is to reduce
the analysis of end-point security to a zone denition, keeping
Most network managers are already aware of the problem of
the number of zones as small as practicable: three or four should
end-point security and have tools such as anti-virus, personal
be sufcient for most enterprises
rewall, and patch management in place on many systems. The
next step is verication: enforcement of policy regarding end-
A second best practice in this area is the provision of remediation
point security by varying access based on the security posture of
resources. The idea is that if a user attempts to connect to the
the end system.
network but is considered out of compliance with security pol-
icy, simply blocking their access is not the right answer. Instead,
This technology and the thinking behind it is most evident in
the user should be connected to a section of the network that
the world of SSL VPN where vendors are vying hard to dif-
offers resources, such as the corporate personal rewall or anti-
ferentiate themselves and incorporate end-point security posture
virus scanner or updated policies and virus denitions. Then
detection and enforcement into their products. Remote access
the user has the opportunity to move into a compliant state and
VPN tools, such as SSL VPN, have a particular vulnerability in
re-connect to the network to get full access.
this area because they are specically designed to extend network

8
CONCLUSION
Defense in depth is process not a product. Its a proactive ap-
proach to thinking about security from the inside out. Certain
architectural approaches such as centralized security overlays lend
themselves well to solve today interior security problems. Secu-
rity continues to be an ongoing process and constant vigilance
and user awareness play equally important roles in building the
best security posture for enterprise networks.
END

You might also like