Defense in Depth (Building Internet Firewalls, 2nd Edition)

3.2. Defense in Depth

Another principle of security (again, any kind of security) is defense in depth. Don't depend on just one security mechanism, however strong it may seem to be; instead, install multiple mechanisms that back each other up. You don't want the failure of any single security mechanism to totally compromise your security. You can see applications of this principle in other aspects of your life. For example, your front door probably has both a doorknob lock and a dead bolt; your car probably has both a door lock and an ignition lock; and so on.

Although our focus in this book is on firewalls, we don't pretend that firewalls are a complete solution to the whole range of Internet security problems. Any security -- even the most seemingly impenetrable firewall -- can be breached by attackers who are willing to take enough risk and bring enough power to bear. The trick is to make the attempt too risky or too expensive for the attackers you expect to face. You can do this by adopting multiple mechanisms that provide backup and redundancy for each other: network security (a firewall), host security (particularly for your bastion host), and human security (user education, careful system administration, etc.). All of these mechanisms are important and can be highly effective, but don't place absolute faith in any one of them.

Your firewall itself will probably have multiple layers. For example, one architecture has multiple packet filters; it's set up that way because the two filters need to do different things, but it's quite common to set up the second one to reject packets that the first one is supposed to have rejected already. If the first filter is working properly, those packets will never reach the second; however, if there's some problem with the first, then with any luck, you'll still be protected by the second. Here's another example: if you don't want people sending mail to a machine, don't just filter out the packets; also remove the mail programs from the machine. In situations in which the cost is low, you should always employ redundant defenses.

These redundant defenses aren't solely, or even primarily, to protect from attackers; they mostly provide protection against failures of one level of defense. In the car example, there's a door lock and an ignition lock, and maybe an alarm system as well, but your average professional car thief can break all of them. The best you can hope for is that the redundancy will slow a thief down some. However, if you're having a bad day and you leave the door unlocked, the ignition lock will still keep casual thieves from driving the car away. Similarly, redundant packet filters probably won't keep a determined attacker out (if you know how to get through the first layer, you'll probably make it through the second). However, when a human or machine error turns off the first layer, you'll still have protection.