Monday, August 16, 2004

More DiD

There's been recent discussion about how defense-in-depth isn't
working. The new in-vogue approach is local protection. I firmly
believe that this will not produce the fruit the proponents want. For
proof, go search Google for what the Witty worm did.

The problem with
defense-in-depth was that most were too lazy to fully embrace the
paradigm. Defense-in-depth was "embraced" only as far as perimeter
protection (firewalls) with some internal support (virus scanner). They
didn't bother with HIDS, local packet filters, tripwires, metrics
monitoring, and periodic scans. Some even used minimal configurations
on their perimeter firewalls.

InfoSec Writers has an article talking about the extra security that should be common sense but somehow isn't widespread. The short version is: you should be locking your perimeter filter down to the minimum required to operate.

An example is the web server in your DMZ. Your premis router should allow connections to TCP port 80 on your webserver and UDP port 53 on your external DNS. Your host filter (local firewall, IPFW, IPTables, etc.) should have the same configuration (of course, your webserver will also want to talk to the DNS server on UDP port 53).

You may want to add some sort of control channel, such as SSH (TCP port 22), but you want that type of traffic to come from one local (internal) IP address, not the Internet. Even better, move the control out-of-band: buy a console switch and use serial connections to all of your servers.