 |
A primary Information Assurance (IA) objective is to protect enterprise
or enclave resources through Defense in Depth (DiD). A DiD strategy
combines the capabilities of people, operations, and security technologies
to establish multiple layers of protection--analogous to protecting
a home with multiple defenses. These defenses may include a strong lock
at the front door, secured windows, an electronic home security system,
bright lights on the outside, a neighborhood watch program, and a dog
that barks at people who walk near the home. An intruder must circumvent
these defenses in order to gain unauthorized entry to the home. With
DiD, the objective is to implement defenses at multiple locations so
that critical enclave resources are protected and can continue to operate
in the event that one or more defenses are circumvented. Managers must
strengthen their defenses at critical locations and be able to monitor
attacks and react to them with a coherent response.
The first layer of defense is the protection of enclave entry or boundary
points. Firewall and Intrusion Detection System (IDS) technologies are
often employed as enclave boundary or security perimeter protection
devices. (See "Cyberspace Detectives Employ
Intrusion Detection Systems and Forensics".) Firewalls control
network traffic that flows in and out of an enclave. IDS technologies
monitor network traffic and can detect whether an enclave is under some
specific, recognized attack. At a minimum, managers must apply a range
of security perimeter defenses so that their resources are not exposed
to external attacks. At the same time, they must employ remote access
security technologies, such as challenge/response tokens and Virtual
Private Networks (VPN), to ensure that enclave users at external locations
can gain the access to internal enclave resources to which they are
authorized.
Additional multiple layers of defense need to be applied to internal
enclave resources as well. Firewalls and IDS technologies can also be
applied within an enclave to protect domains from other domains and
to monitor critical resources. Infrastructure elements, such as Public
Key Infrastructure (PKI) components, directory servers, mail servers,
file servers, networking devices (e.g., routers), and network management,
must be secured with proper configuration, administrative controls,
and security mechanisms. Careful attention should be paid to securing
infrastructure elements because they are the backbone of mission and
business operations. Desktop workstations and information servers must
be protected using such security mechanisms as user identification and
authentication, access controls, auditing, virus scanning, and encryption.
A variety of security tools that check for well-known vulnerabilities
and proper system configuration should be run on enclave resources on
a periodic basis. Technical security measures must be coupled with procedural
and personnel security measures, as well as with an ongoing security
awareness program.
Enclaves must continually be on the watch for new threats and vulnerabilities,
especially as they apply new technologies and continue to operate in
a highly distributed environment. An ongoing DiD program will ensure
that user access needs will continue to be met and that the enclave
mission will continue to operate in the current risk environment.
For more information, please contact Brian McKenney
using the employee directory.
