Analyst & Research Reports

O'Reilly Modern Defense in Depth

Issue link:

Contents of this Issue


Page 14 of 53

net. However, few, if any, of these technologies are integrated in any fashion whatsoever, and none them are aware of the other technolo‐ gies deployed. I fully believe that this "independent lines of defense approach" is a major contributor to high number of successful attacker campaigns, and this commonly accepted methodology must be addressed given that it has been proven to not be adequate in many cases. This Approach Is Not Adequately Protecting Internet-Facing Web Applications Next, let's see how similar, nonintegrated cybersecurity technologies are most commonly deployed in today's data centers to defend the public-facing web applications hosted there. Here you will find par‐ allel lines of defense that are nearly the same as the lines of defense found when protecting users from the internet. Again, the inde‐ pendent lines of defense are very apparent in organizations' data centers. Today, many organizations that use data centers deploy their own authoritative Domain Name System (DNS) servers, web servers, and publicly exposed web applications in what is known as the demilita‐ rization zone (DMZ) within corporate data centers. These DNS servers, web servers, and web applications are normally protected by firewalls as the first line of defense. However, most people don't real‐ ize that firewalls provide little, if any, protection for devices connec‐ ted in a DMZ, because organizations must configure the border firewalls to allow all inbound traffic from the internet on TCP/UDP port 53 (DNS), TCP port 80 (HTTP), and TCP port 443 (HTTPS). As a result, organizations still must do better than supposedly pro‐ tecting their DNS, web servers, and applications with a DMZ. Organizations are next forced to deploy more independent lines of defense like advanced intrusion prevention systems, web application firewalls, bot management solutions, server-based malware protec‐ tion, and so forth within the DMZ itself to protect the devices deployed there, as well. This nearly replicates the lines of defense that are deployed to pro‐ tect the internal user community and adds additional cost and com‐ plexity because most of these systems in the DMZs are designed to protect only applications, not user's computers. Another issue with This Approach Is Not Adequately Protecting Internet-Facing Web Applications | 5

Articles in this issue

view archives of Analyst & Research Reports - O'Reilly Modern Defense in Depth