email article printer friendly more resources

Five Layers of Defense
A perimeter network design protects your resources.
by Danielle Ruest and Nelson Ruest

Posted March 26, 2004

For This Solution: Windows Server 2003, Internet Security and Acceleration Server 2000, Internet Security and Acceleration Server Feature Pack 1, Internet Security and Acceleration Server 2004 (Beta), Internet Information Services 6.0

Despite the reoccurrence of e-mail attachment–based viral attacks, users continue to infect internal networks. For example, even though news outlets everywhere covered Mydoom with almost as much interest as Janet Jackson's costume malfunction, 400,000 hapless users still clicked on the Mydoom attachment, according to Symantec, and turned their systems into the zombies that brought down The SCO Group's Web site.

Nagging users doesn't seem to work. One person's slip of vigilance is all it takes to do the damage. You need a gatekeeper to filter out these malicious pieces of code. That's where the perimeter network comes into play. This network, often called the demilitarized zone (DMZ), is designed to protect your internal resources from attacks stemming from the outside world. That's not to say that attacks only originate from outside. Infection can also come from inside your network. In fact, five years ago, internal attacks were the most common form. This is changing though. Today, more and more attacks originate from outside your network, which is why perimeter security is so important. Your perimeter network is your first line of defense when it comes to the outside world. It must be configured properly and must be designed to provide a series of different security services as well as information and perhaps e-commerce features.

A complete defense system needs to address all aspects of internal and external networks. That's why it's best to use a defense-in-depth strategy such as the Castle Defense System (CDS), which provides a layered structure to IT security (see Figure 1). The CDS is based on five layers, stemming from the core of your network—your data—to the outer extremes, which are your connections with the outside world. The advantage of the CDS is its basis on the protection systems used in medieval times. Because it's a familiar image, it allows people to visualize how a layered IT defense system should work. For example, layer five is analogous to a castle's moat. This means securing perimeter networks, including the virtual private network (VPN) and/or routing and remote access (RRAS), to your internal network. Also, because layer five deals with the external world and you can't control the configuration of the clients accessing your services, you might also need to implement multiple authentication methods, including Public Key Infrastructure certificates, one of the most universal methods for the support of secure communications.

If you examine this layer in depth, you begin to realize that it requires quite a few different technologies to provide complete protection. The selection of these technologies and systems will depend on the services you intend to provide through your perimeter network. First off, you need an external connection because most organizations need to send and receive e-mail as well as browse the Internet. This means implementing technologies that protect your network from unauthorized entry. And because you will be receiving data from the Internet in the form of e-mail messages and Web page connections, you'll also need a filtering system as well as virus protection. If you are very conscious of the data you are protecting, you might want to add an intrusion detection system.

Second, you will probably want to have an Internet presence. This means publishing information to the Internet. Here the best type of protection is the reverse proxy—a tool that is designed to publish Web information in a secure way by impersonating the Web server. Users think they are actually working on the Web server when in fact they are using the reverse proxy server (for more information on this subject, see "Locking Down MCMS" in this issue). Third, you might want to support e-commerce. In this case, you'll need authentication systems that are platform independent because you can't control the type of client visitors will use.