Joseph Granneman knows all too well the importance of a true defense-in-depth strategy. Granneman, manager of networking and data security at Rockford Health System, a healthcare company in Illinois, had the gates barred by firewalls and intrusion-detection systems but still got slammed.

"We used to think the computer room was safe because it's on the LAN and not the Internet, but that's just not so," he says. "We've got a great perimeter, but the last few worms hit us anyway."

It turns out consultants had walked in with the infections. In one case, a consultant had unplugged a protected desktop and swapped in his infected laptop, bypassing the company's perimeter safeguards and spreading the infection internally.

"He didn't know he had the worm, so it wasn't intentional. But it hit us hard," Granneman says.

Cases like Rockford's are common enough that it is clear that reliance on a hardened perimeter is no longer enough. As perimeter security has become more robust, the bad guys have found new ways in. Or, as in Rockford's case, attacks are launched from within. What's more, business today demands cross-linking networks with partners and customers, many of which have less-than-secure networks.

"Even if we're doing the right things, we're not sure our partners are," says John Pironti, enterprise solutions architect and security consultant at Unisys, noting that large companies that do business with smaller shops are especially vulnerable. "Boutique shops don't tend to have the resources to protect themselves, and they like to advertise they're working with big companies. So if you're an attacker, you look for these little companies and attack them, then use the secure pipes into the larger organizations to attack them."

Faced with these changes, organizations are relying more on defense-in-depth strategies in which they bolster their perimeter security tools with internal measures and application-level security.

Three levels of defense

Granneman is taking a three-pronged strategy for his most critical internal resources. First, he is taking traditional firewall and IDS perimeter security and applying it internally in front of critical devices and servers. "We're trying to build a perimeter-like moat around the internal computer room,"he says.