It occurs to me that I can put some points here to things I’ve been working on that might be of interest.
I wrote a white paper on Defense in Depth that I think is pretty good.
Download and read it at your leisure. Six Strategies for Defense in Depth
Here’s the Executive Summary:
Defense in depth is not a buzzword. Network managers are watching their perimeter firewalls drop in importance as the enterprise network extends across the country and around the world. Remote access and site-to-site VPN, extranet partners, and wireless mobility all are conspiring to turn easily encapsulated and firewalled networks into complex entities that cannot be protected at the edge. Add in the requirement to protect yourself from your own LAN and WAN users and create internal zones of security, and defense in depth has become standard marching orders for IT.
Turning the network inside out—making the network itself secure—is the critical strategy for enterprise security architects. Defense in depth is not a product, like a perimeter firewall. Instead, it is a security architecture that calls for the network to be aware and self-protective. In this white paper, we present the six key strategies for adding defense in depth to enterprise networks. At a technical level, we discuss the problems that need to be solved, the challenges network managers face in addressing these problems, and solution strategies you can incorporate today.
Although not every network faces the same challenges, the six strategies in this white paper can serve as guide posts for any security professional looking to implement defense in depth in an enterprise LAN:
Strategy 1: Authenticate and authorize all network users
Strategy 2: Deploy VLANs for traffic separation and coarse-grained security
Strategy 3: Use stateful firewall technology at the port level for fine-grained security
Strategy 4: Place encryption throughout network to ensure privacy
Strategy 5: Detect threats to the integrity of the network and remediate them
Strategy 6: Include end-point security in policy-based enforcement