Issuu on Google+

A Case for Multi-tiered Security WHITE PAPER

Introduction Perimeter network defense alone is insufficient to combat the full range of enterprise security threats. A defense-in-depth approach focused on protecting the confidentiality and integrity of data, while providing authenticated access to computing resources, is necessary to mitigate today’s risks. Paradigm shifts, such as cloud computing, software-as-a-service, and remote data warehousing, add significant challenges, as does the proliferation of sophisticated botnets and small, inexpensive, high-capacity portable storage devices. This paper outlines a balanced approach to enterprise security—defending the perimeter while protecting interior services and critical data.

The Advancing Threat Environment

te rn a


Ex plo

g utin



y Ex ploit


es s


i rv Se


I ms

ra st ru ctu re

Loss of Confidence/ Reputation

ce s

Increased Operating Costs

Compliance Violation/ Liability

ec hn o

ppl ica tio

Mission/ Business Disruption


Data Loss/ Compromise

a In Motion Dat

User A

E xp



External Origi

Unk no wn Te In



c ro /P

A Case for Multi-tiered Security White Paper


Data At Res t

ial S oc

According to Gartner’s 2008 report on IT Security Threats1, cyber threats continue to evolve and are driven by technology changes, as well as increased user trust


x yE

y log no ch igin

According to Gartner’s 2008 report on IT Security Threats1, cyber threats continue to evolve and are driven by technology changes, as well as increased user trust and/or complacency.

For the purpose of illustration, we have used very coarse groupings; however, further decomposition of threats, vectors, and targets would reveal even more threads of potential vulnerability. This property, in which an attacker may exploit multiple targets through multiple vectors in an attempt to produce a given impact, reinforces the need for defense-in-depth to protect critical assets.

Know nT ec hn n ol o

Business or mission impacts result when threats exploit vulnerabilities through an access vector to affect targets, as shown in Figure 1. The relationship between these attack Threat components is many-to-many, with a large Vector number of combinations yielding a vast set Target of threads against which the enterprise Impact must be protected.

c hi orp m y l Po


Figure 1. Attackers use a range of exploits through multiple access vectors to impact targets and damage the enterprise


and/or complacency. Motivated by financial gain, attacks are becoming more focused and sophisticated as targets have shifted from vulnerable PCs to websites and user data. Highly ranked vulnerabilities on the common vulnerability scoring system continue to soar, more than tripling from 2007 to 2008. Web and social networking sites are compromised with malware payloads, while spear phishing techniques are used to deploy botnets over email. Data from Microsoft Corporation’s Malicious Software Removal Tool indicates that, since late 2006, the fastest-growing category of malware is botnet clients. Serious incidents involving data compromise and loss, both deliberate and accidental, are also on the rise. Portable storage, especially universal serial bus (USB) devices, enables uncontrolled movement and modification of large volumes of data, resulting in information theft and loss. Additionally, these storage devices provide another convenient means to bypass network-based security and inject malware into the enterprise that can spread quickly to wired and wireless technologies.

Serious incidents involving data compromise and loss, both deliberate and accidental, are also on the rise. Portable storage, especially universal serial bus (USB) devices, enables uncontrolled movement and modification of large volumes of data, resulting in information theft and loss.

Figure 2 summarizes these challenges in the context of a typical enterprise. Threats exploit all vectors, including witting and unwitting insiders. They include poor physical security, lack of user security awareness, malicious downloads, weak authentication, limited or no security monitoring, unauthorized access to applications, and even the supply chain to infiltrate an enterprise. Once in, threats propagate, multiply, steal, disrupt, and, above all, attempt to avoid detection and remain persistent in the network.

Data In Motion

Data At Rest Virtual “Cloud� Computer

Enterprise Data At Rest

Data In Use


Public External

Business & Mission Data Repositories



Data In Motion Data In Motion

Data At Rest

Computing Systems/ Servers

Data In Use End User Systems

Users Communications Infrastructure

Data In Use

Portable Assets

Threats Data At Rest

Mobile Systems Data In Use Users

Figure 2. The enterprise is threatened from both internal and external sources targeting data, technology, and users.

Countermeasure Analysis Perimeter defense is a fundamental component of an enterprise defense-in-depth solution. Designed primarily to mitigate external threats, these approaches include network-based firewalls, intrusion detection, and intrusion prevention systems. The technology can be signature-based or attempt to detect traffic anomalies through statistical traffic and/or log analysis. Implementations range from basic header filtering to stateful deep packet inspection.

A Case for Multi-tiered Security White Paper


As shown in Figure 3, typical deployments of perimeter defenses first aggregate external connections through common gateways to limit the number of protection points. Public/ External Network(s)

Perimeter Defense System(s) Enterprise C


Border Gateway

Enterprise B Enterprise A

Real-time Inspection Signatures


Thresholds Policy/ Rules


Systems & Resources Users

Figure 3. Perimeter defense systems focus on keeping external threats from penetrating the enterprise

Protection is then applied at the aggregate, high-speed demarcation point into the public or transport network. While this is a prudent approach to reducing risk, its effectiveness is dependent upon a defined and functioning set of security policies governing the entire network using the external connection. If the external connection is servicing multiple networks with differing policies (for example, acceptable user applications), establishing the real-time rules and statistics needed by the perimeter defense technology will be problematic.

The traditional perimetercentric security philosophy assumes that perimeter defenses “keep the bad guys out” and ensure that sensitive data is only accessed by trusted users within the enterprise.

Complicating matters, today’s applications (and malware) use tunnels, masquerading, spoofing, and encryption to bypass network-based controls and hide in normal traffic. The larger and more heterogeneous the enterprise becomes, the higher the “noise floor” becomes, making it more difficult to distinguish normal behavior from threat behavior, and to identify covert channels. Cloud-computing services, such as those offered via Google and Amazon, store and process data on virtual machines located beyond the client’s enterprise. This growing trend, promising increased reliability, availability, and lower cost, has been hailed as the next big step in computing. However, from a security perspective, it reduces the applicability perimeter defense as it blurs the line defining the “perimeter.” In this paradigm, any assumption of privacy or confidentiality is naive and users are advised to adopt technologies such as encryption, identity management, and controlled access. The traditional perimeter-centric security philosophy assumes that perimeter defenses “keep the bad guys out” and ensure that sensitive data is only accessed by trusted users within the enterprise. While the perimeter provides one layer of protection, as depicted in Figure 4, sensitive data continues to escape the enterprise at an increasing frequency. As described on the National Institute of Standards and Technology’s (NIST’s) National Cyber Security Fact Sheet2: “Many of today’s tools and mechanisms for protecting against cyber attacks were designed with yesterday’s technology in mind. Information systems have evolved from room-size computer workstations shut off from the rest of the world to ubiquitous mobile devices interconnected by a global Internet. In this diverse ecology of communication devices, no cyber security solution works on all operating systems and can protect every type of computer and network component.” In fact, today’s enterprise networks include so many teleworkers, branch offices, network capable smartphones, and removable media platforms that traditional security solutions designed to protect network systems are no longer adequately protecting the data. In addition, a perimeter-based approach does not address insider threats or the real-world problem in which a breach of the perimeter defense provides unauthorized parties free access to the data.

A Case for Multi-tiered Security White Paper



Sensitive Data wa Fire

ll ,







De t ks ection








ion ti-V irus, Intrus

c Lo ctu , s res, Barrier

Figure 4. Sensitive data is escaping despite state-of-the-art perimeter defenses

Additional security layers are needed to protect the enterprise from unauthorized connections within the network. This includes security technologies such as user authentication, device authentication, network access control, and comprehensive wireless security. It is imperative to also protect the data itself using strong encryption and key management technologies to prevent inadvertent loss, intentional theft, or malicious injection of data. To highlight the benefits of a multi-tier security approach, consider the following scenario. An attacker, or unwitting user, introduces self-propagating malware (i.e., worm) from a USB portable storage device directly into the enterprise network via a host USB port. The worm contains a bot client designed to search for data of interest and exfiltrate the data slowly over time using various covert channels. In this scenario, unless this botnet is well-known and has been analyzed, perimeter defenses are highly unlikely to detect its first communications with the bot-herder or master. It is likely that the bot will operate for some time before detection, especially if it is polymorphic – changing its signature regularly – or if the duration between communication to the bot-herder is spaced in an undetectable pattern. Upon suspicion of a compromise, perimeter defenses would be focused and fine-tuned in an attempt to detect and disrupt the covert channel. However, by the time perimeter defenses are successful, considerable data will likely have been compromised. Three principal countermeasures should be applied to protect against this scenario. 1. Technical enforcement of policy governing controlled use of all external interfaces on host computers. Since this scenario involves deliberate misuse, administrative controls and physical security are not sufficient, and interfaces need to be either disconnected or logically controlled by software. 2. Data at rest should be encrypted. This would not prevent the exfiltration, but it would prevent compromise as the data would not be exposed. 3. Critical data and access to resources should be protected using multi-factor authentication. This would limit access to the data and resources that the worm could access, even if it is capable of capturing user names and passwords.

A Case for Multi-tiered Security White Paper


Figure 5 illustrates these concepts, as well as several other prudent measures. Perimeter defenses are used to protect the enterprise gateway. Within the enterprise, perimeter defense technologies are applied to protect high-value resources—forming protective enclaves. Data at rest and in motion is encrypted, both in the enterprise and “in the cloud.” Mobile systems boot to encrypted hard drives and use encrypted communications to connect to the enterprise. Tokens are used to augment user name and password credentials, communication and processing devices such as routers and servers are hardened, and end-user systems and portable assets are placed under tight configuration control with current antivirus and endpoint protection software.

Data In Motion


Data At Rest Data At Rest

Virtual “Cloud” Computer Data In Use

Business & Mission Data Repositories

Computing Systems/ Servers

Protected Enclave

Public/ External Network(s)

Protected Enclave

Perimeter Defense System(s)

Data In Use End User Systems

Config Ctrl

Data In Motion Data In Motion

Data At Rest

Data In Use

Communications Infrastructure

Users Portable Assets

Auth Token

Data At Rest

Mobile Systems Data In Use

Auth Token Users

Figure 5. A multi-tiered security approach protects enterprise data and resources within and beyond the perimeter

Conclusion As organizations focus considerable resources on deployment of advanced perimeter defenses, care should be taken to avoid relying too heavily on this single approach. Increasingly sophisticated and focused attacks, the insider threat, and uncontrolled user behavior, as well as changes in Internet services and computing architectures themselves, pose challenges that cannot be addressed at the perimeter alone. Effective enterprise security applies a defense-in-depth approach—implementing security policies, system monitoring, incident response, and user awareness training alongside diversified technical solutions combining perimeter defense with data and resource protection. SAIC - Cyber PMO +1 (703) 676-8381 SafeNet Federal office + (703) 647 8400

Contact Us: For all office locations and contact information, please visit Follow Us: ©2011 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN)-03.02.11

A Case for Multi-tiered Security White Paper


A Case for Multi-tiered Security_WP_(EN)_web