Defense in Depth (computing)
From Wikipedia, the free encyclopedia
Defense in Depth is an Information Assurance (IA) strategy where multiple layers of defense are placed through out an Information Technology (IT) system and addresses personnel, technology and operations for the duration of the system's lifecycle.
Contents |
[edit] Objectives
Defense in depth is originally a military strategy which seeks to delay rather than prevent the advance of an attacker, buying time by yielding space. The placement of protection mechanisms, procedures and policies are intended to increase the dependability and assurance of an IT system where multiple layers of defense prevent direct attacks against critical systems and prevents espionage. In terms of computer network defense (CND), defense in depth measures should not only prevent security breaches, but buy an organization time to detect and respond to an attack, therefore reducing and mitigating the breach's impact.
The IA Task Force uses the following framework to create a common terminology and partition IA technology in a user environment:
- Computing Environment
- Enclave Boundary
- Networking Infrastructure
- Supporting Infrastructure
[edit] User environment
| Life was simple before World War II. After that, we had systems. |
The first significant network available was the Public Switched Telephone Network (PSTN) which offered Plain Old Telephone Service (POTS) which is the standard, analog telephone service that remains the basic form of residential and small business telephone service nearly everywhere in the world. The telephone system has been available since the late 19th century and it is mostly unchanged to the normal user since then, despite the introduction of electronic telephone exchanges into the PSTN since the middle of the 20th century. The PSTN is the network of the world's public circuit-switched telephone networks, in much the same way that the Internet is the network of the world's public IP-based packet-switched networks. Originally a network of fixed-line analog telephone systems, the PSTN is now almost entirely digital, and now includes mobile as well as fixed telephones.
The PSTN also used the circuit network to setup telephone calls using DTMF which uses in-band signalling and did not provided a layer of defense for early telephone system exploitation now known as phreaking. Modern usage refers to the layer of call setup and telephone call routing as the the control plane and this now done out-of band (OOB) using signalling protocols like SS7. Other layers or planes are the data plane and management plane.
As U.S. Government networks which include research facilities and laboratories, and academic campuses started to be interconnected by wide area networks these systems presented computing environments which at times did not implement security measures like protecting the access to the management plane at what is also known as the console.
Additional concepts are the perimeter, its protection (firewall), intrusion detection and auditing.
[edit] Adversaries
| 故曰:知彼知己,百戰不殆;不知彼而知己,一勝一負;不知彼,不知己,每戰必敗
So it is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle. . |
[edit] Human Threats
- Hackers/Crackers(Kiddie script)
- Blackhats(IT criminal)
- Terrorist
- Corporate/Industrial Espionage
- Insiders
[edit] Motivation
[edit] Classes of attack
- Passive
- Active
- Close-In
- Insider
- Distribution
[edit] Elements
[edit] Personnel
"People -- hire good people, train and reward them well"
[edit] Technology
"Technology -- test, evaluate, & assess."
[edit] Operations
"Operations -- maintain vigilance, respond quick to intrusions and be prepared to restore critical services."
[edit] Risk Management
[edit] See also
[edit] References
 |
This computer-related article is a stub. You can help Wikipedia by expanding it. |
