The other day a discussion came up on a security mailing list regarding the proper method for implementing “defense in depth.” I was horrified to hear that some thought having two layers of firewalls from different vendors achieves this goal, and I responded with the following statement, “Ah, the firewall sandwich: it gives me indigestion.”
I’ve been very clear in my assertion that firewalls aren’t enough protection, they’re only speed bumps in the path of an attacker. They should be considered one element of a holistic security strategy. The Committee on National Security Systems Instruction No. 4009, National Information Assurance Glossary, defines “defense in depth” as,
IA [information assurance] strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of networks. Synonymous with security-in-depth.
Organizations seem happy to throw lots of money at technology and operations, but when it comes to the people component, i.e. policies and procedures, they fail miserably. This is the biggest problem with building a layered design. As a security engineer, if I don’t have clear policies as my set of requirements, how am I going to determine the appropriate network segmentation and protections to put in place? I’m not the data owner, I’m only the custodian.
It’s like an architect designing a house without knowing where it’s going to be built or how many people are going to live in it. Even the brilliant, eccentric Frank Lloyd Wright didn’t ignore the requirements. He may have built a house over a waterfall , but his design was still grounded in the existing landscape. In information security, data represents the digital landscape of a company. It has varying levels of value and should be segmented accordingly, with security controls applied and documented. An information classification matrix represents the foundation of any security design.
Consider some of the newer topologies which seek to flatten the network to optimize east-west traffic. What about the impact of the Software Defined Network (SDN), which decouples the logical from the physical? Data classification becomes even more critical when using SDN or IPv6 CALIPSO to create logical segmentation. We’re networking professionals, not psychics, so someone will need to tell us how the traffic is allowed to flow and when security controls will need to be applied.
So the next time you see someone flinging firewall stencils around in a network design, ask for the data classification policy. Because this isn’t supposed to be Cargo Cult Security and there should be a reason to have them there.