Defense in Depth – N10-008 CompTIA Network+ : 4.1

A layered defense provides the strongest security. In this video, you’ll learn about network segmentation, screened subnets, separation of duties, network access control, and honeypots.


When you’re dealing with information technology, there’s no single security technique that is guaranteed to keep out any type of attacker. Instead, you should implement a layering of techniques across a broad array of different technologies. For example, you might start with physical controls. You might want to have door locks, fences, rack locks, cameras, or anything else that would prevent somebody from gaining physical access to your systems.

Of course, we also have to protect against people coming in through the network, so we might include technical controls. This would be hardware and software that works together to stop people on the network. This will be firewalls, active directory authentication, or other types of authentication, disk encryption, and anything else that can protect you on the network. And of course, you need a set of policies and procedures that document and design the way to implement the security in your environment.

For example, you may have some formal policies and procedures set up as a security policy. There might be a set of procedures or documented steps you follow each time someone is brought on board, and each time someone leaves the organization and is off boarded. And you may want to think about the way that your media is handled, especially backup media and who might have access to it.

So as you’re layering on these different defenses, you can see that you’re addressing different types of security concerns with different technologies. For example, you might have a firewall to allow or disallow traffic across the network. You might implement a screened subnet or what we used to call a DMZ to allow access from the outside. You could be using hashing insulting to protect passwords that you’re storing on your systems.

There might be a formal authentication process or series of authentication processes that would involve many different authentication factors. To be able to block known vulnerabilities and known types of attacks on the network, you might want to implement an intrusion prevention system, or IPS. You might want to implement VPN, or Virtual Private Networking, for people that need to access internal resources when they’re outside of the building.

To gain access to the building, you might want to have some type of card or ID badge that’s used to gain access into the facility. Most organizations have some type of antivirus or anti-malware software running on every single device in the organization and out front, you might have a security guard to provide that extra level of physical security. Notice that all of these different security techniques provide a different type of security, and you wouldn’t replace one of these with another.

Instead, you would have all of these working together to create defense in depth. In a previous video, we talked about different ways to provide security with your network connectivity. Take an example, where you might be an organization that provides networking or resources to multiple customers. By implementing separate physical switches, anyone who’s on customer A’s switch can only communicate with customers A’s resources, and anyone on the customer B switch can only communicate with customer B’s resources.

Because there is a physical disconnect between those two networks, there’s no way from one customer to gain access to another customer’s resources. Instead of having a physical segmentation, you may want to use a logical segmentation on a single switch using virtual local area networks, or VLANs. VLANs allow you to designate certain interfaces on the switch to belong to one particular VLAN, like the customer A VLAN and other interfaces on the switch would be dedicated to the customer B VLAN.

Even though they are on the same physical switch, you’ve now segmented these two networks logically within the switch, and anyone plugged into a customer A interface can only talk to customer A resources. There may be times when you have resources on your local network that you’d like to provide to the rest of the internet, but you don’t want the internet to have direct access to your internal network. Instead, you want to create a middle ground.

We used to refer to this as a DMZ, or demilitarized zone. Today, we refer to it as a screened subnet. Here’s an example of an internet connection with a firewall, and you can see the internal network with all of your internal resources are located on a protected subnet. We would create a separate screen subnet that contains all of the resources that people on the internet might need access to, and we would configure our firewall roles to allow access from the internet to the screen subnet but prevent any access from the internet to our internal network.

Another way to create a layer of defense is to limit what people might know or limit what a single individual might be able to do. For example, you might want to implement split knowledge on your network, where no single person knows all of the details required to complete a job.

You would have multiple people involved, and each person would have their own knowledge of what needs to be done. For example, one person might have half of a safe combination, and the other person might have the other half of the safe combination, and neither person happens to know the complete combination. This split knowledge could be implemented with dual control.

This means that both of those people would need to be present at the same time to be able to complete that particular function. For example, you might have two keys that would open a safe, and both of those keys have to turn at exactly the same time. If you’ve ever been at work and logged into a wireless network, then you’ve noticed that you’ve used your own username and password that’s unique to you.

In a corporate environment, we don’t tend to use shared passphrases because it’s very easy for someone else to gain access to that passphrase. Instead, we would implement port-based network access control, or NAC. You’ll often hear this referred to as IEEE 802.1x. When we refer to port-based network access control, we’re referring to the individual physical interfaces on a switch and not a TCP or UDP port.

This is a method that prevents anyone from communicating on the switch until they provided the correct authentication. It’s common to see 802.1x implemented with EAP and RADIUS. EAP is the Extensible Authentication Protocol used to perform this authentication on the network, and RADIUS, or remote authentication dial in service, is the remote back end database that’s used for the authentication.

We could also use different types of authentication protocols and different types of authentication databases. Instead of radius, for example, we might use LDAP, or Active Directory. Another security technique that’s often used in conjunction with 802.1x is for the administrator to physically disable any interfaces that may not be in use. This would prevent somebody from plugging directly into the switch and gaining access to the network.

And if you do any type of Mac address filtering on your network, you may want to see if your switch recognizes duplicate Mac address checking so that someone couldn’t change their Mac address to one that was trusted by the switch. Here’s a broad description of how 802.1x works. We would usually have three separate devices in this conversation. We would have a supplicant.

This is usually the device that would like to get access to the network. There is an authenticator. This is usually the device the supplicant is authenticating to, and the authenticator usually communicates in the back end to an authentication server. This begins with the supplicant trying to communicate to the network, usually to the authenticator, and finding that there’s no access because 802.1x is in place.

The authenticator recognizes that a device would like to gain access to the network, and it sends an EAP request asking if someone new would like to have access. The supplicant sends an EAP response saying, my name is James, and I would like to have access. The authenticator now needs to confirm that this particular user is in the access database, so it sends a message to the authentication server saying that James is here and would like to have access.

The authentication server sends a message back to the authenticator asking if that user would like to authenticate. The authenticator passes that message on to the supplicant and the supplicant provides any authentication credentials. Since the authenticator commonly doesn’t have an authentication database, it passes that username password and any other login credentials to the authentication server.

If those login credentials are validated by the authentication server, a message is sent to the authenticator saying that this user can gain access to the network. At this point, the authenticator would enable that interface and allow the supplicant to continue the communication on the network. If you wanted to enhance this defense in depth and do more than simply block an attacker, but instead allow the attacker in so that you can monitor what they’re doing, you might want to implement a honeypot.

There are many different techniques used by these attackers to try to gain access to your network, and it would be interesting to see what types of techniques this particular attacker was trying to use. You’d usually implement one of these honeypots as a single device or multiple virtual devices that appear as legitimate and available systems on your network. The attackers would then connect to these virtual systems, try to circumvent the security on these systems, and you would be logging every single one of these attempts to gain more information about what these attackers are doing on your network.

There are many different options for setting up your own honeypot. You might want to use Kippo, Google Hack Honeypot, or many others to be able to monitor what the attackers are doing. This is a constant battle back and forth as you set up these fake virtual systems and then have the attackers try to recognize which types of systems are fake and which ones are real.

This is an ongoing battle to be able to create the best possible honeypot, but if you’re a security researcher, this is a great way to see what the attackers are doing.