Behind the perimeter

As more attacks penetrate traditional perimeter defenses, smart organizations adopt defense-in-depth strategies in which application-level security plays an increasingly critical role.

Joseph Granneman knows all too well the importance of a true defense-in-depth strategy. Granneman, manager of networking and data security at Rockford Health System, a healthcare company in Illinois, had the gates barred by firewalls and intrusion-detection systems but still got slammed.

"We used to think the computer room was safe because it's on the LAN and not the Internet, but that's just not so," he says. "We've got a great perimeter, but the last few worms hit us anyway."

It turns out consultants had walked in with the infections. In one case, a consultant had unplugged a protected desktop and swapped in his infected laptop, bypassing the company's perimeter safeguards and spreading the infection internally.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Joseph Granneman knows all too well the importance of a true defense-in-depth strategy. Granneman, manager of networking and data security at Rockford Health System, a healthcare company in Illinois, had the gates barred by firewalls and intrusion-detection systems but still got slammed.

"We used to think the computer room was safe because it's on the LAN and not the Internet, but that's just not so," he says. "We've got a great perimeter, but the last few worms hit us anyway."

It turns out consultants had walked in with the infections. In one case, a consultant had unplugged a protected desktop and swapped in his infected laptop, bypassing the company's perimeter safeguards and spreading the infection internally.

"He didn't know he had the worm, so it wasn't intentional. But it hit us hard," Granneman says.

Cases like Rockford's are common enough that it is clear that reliance on a hardened perimeter is no longer enough. As perimeter security has become more robust, the bad guys have found new ways in. Or, as in Rockford's case, attacks are launched from within. What's more, business today demands cross-linking networks with partners and customers, many of which have less-than-secure networks.

"Even if we're doing the right things, we're not sure our partners are," says John Pironti, enterprise solutions architect and security consultant at Unisys, noting that large companies that do business with smaller shops are especially vulnerable. "Boutique shops don't tend to have the resources to protect themselves, and they like to advertise they're working with big companies. So if you're an attacker, you look for these little companies and attack them, then use the secure pipes into the larger organizations to attack them."

Faced with these changes, organizations are relying more on defense-in-depth strategies in which they bolster their perimeter security tools with internal measures and application-level security.

Three levels of defense

Granneman is taking a three-pronged strategy for his most critical internal resources. First, he is taking traditional firewall and IDS perimeter security and applying it internally in front of critical devices and servers. "We're trying to build a perimeter-like moat around the internal computer room,"he says.

Second, he is implementing a technology from Zone Labs called Integrity, which eliminates the vulnerability underscored by the consultant's infected laptop. With Integrity, when a user logs on to the network they are directed to the Integrity server that determines if his machine has the appropriate patch levels and virus signatures before providing full network access. If the device is not up to snuff, Integrity routes it to a secure server that downloads the appropriate updates.

Third, Rockford is implementing Top Layer Networks' Attack Mitigator application-level intrusion-prevention system (IPS) between the servers and the firewall/IDS combination. Attack Mitigator focuses on protecting the network from nefarious traffic the firewall lets through. It hones in on individual application-level protocols, such as HTTP for Web applications, SMTP for e-mail or DNS for hosting, and ensures that only protocol-appropriate traffic types and requests get through to the server.