The Castle Defense System

The best way to define an ESP is to use a model. The model proposed here is the Castle Defense System (CDS). In medieval times, people needed to protect themselves and their belongings through the design of a defense system that was primarily based on cumulative barriers to entry. If you've ever visited a medieval castle or seen a movie with a medieval theme, you'll remember that the first line of defense is often the moat. The moat is a barrier that is designed to stop people from reaching the castle wall. Moats often include dangerous creatures that will add a second level of protection within the same barrier. Next, you have the castle walls. These are designed to repel enemies. At the top of the walls, you will find crenellated edges, allowing archers to fire on the enemy while still being able to hide when fired upon. There are doors of various sizes within the walls, a gate, and a drawbridge for the moat. All entry points have guards posted. Once again, multiple levels of protection are applied within the same layer.

The third defense layer is the courtyard within the castle walls. This is designed as a "killing field" so that if enemies do manage to breach the castle walls, they will find themselves within an internal zone that offers no cover from attackers located either on the external castle walls or within the castle itself. The fourth layer of defense is the castle itself. This is the main building within which are found the crown jewels. It is designed to be defensible on its own; stairways are narrow and rooms are arranged to confuse the enemy. The fifth and last layer of protection is the vault held within the heart of the castle. It is difficult to reach and highly guarded. This type of castle is illustrated in Figure 8-1.

This is, of course, a rudimentary description of the defenses included in a castle. Medieval engineers worked very hard to include multiple defense systems within each layer of protection. But it serves its purpose. An IT defense system should be designed in the same way as a Castle Defense System. Just

Medieval Castle Defense
Figure 8-1 A typical medieval castle

like the CDS, the IT defense system requires layers of protection. In fact, five layers of protection seem appropriate. Starting from the inside, you'll find:

• Layer 1: Critical Information This is the information vault. The heart of the system is the information you seek to protect.

• Layer 2: Physical Protection Security measures should always begin with a level of physical protection for information systems. This compares to the castle itself.

• Layer 3: Operating System Hardening Once the physical defenses have been put in place, you need to "harden" each computer's operating system in order to limit the potential attack surface as much as possible. This is the courtyard.

• Layer 4: Information Access When you give access to your data, you'll need to ensure that everyone is authenticated, authorized, and audited. These are the castle walls and the doors you open within them.

• Layer 5: External Access The final layer of protection deals with the outside world. It includes the perimeter network and all of its defenses. It is your castle moat.

The five-layer Castle Defense System is illustrated in Figure 8-2. In order to become a complete Enterprise Security Policy, it must be supplemented by two elements: People and Processes. These two elements surround the CDS and complete the ESP picture it represents.

Defining the various layers of defense is not the only requirement for an ESP, but it is a starting point. The activities required to define the ESP are outlined in Figure 8-3. This blueprint outlines a step-by-step approach to an ESP definition. It will need to be supported by additional activities which focus on the way the ESP is managed and administered once in place.

This chapter focuses on the solution design portion of the blueprint, specifically the application of the Castle Defense System itself.

Layer 3 Operating System Hardening

> Security Configuration

> Antivirus

> General Active Directory Security

> File System

> Print System

> .NET Framework Security

> Internet Information Server

> System Redundancy

Layer 2 Physical Protection

> Physical Environment

> Physical Controls

> Communications

> Surveillance

Layer 1 Critical Information

> Data Categorization

> Application Hardening

Layered Perimeter Security Castle

Layer 4 Information Access_

> User Identification

> Security Policies

> Resource Access

> Role-based Access Control

> Access Audition/Monitoring

Layer 5

_External Access_

> Perimeter Networks

> Public Key Infrastructures

Figure 8-2 The Castle Defense System

Analysis

Analysis

Business Requirement's

Solution Design

Business Requirement's

1- Business Model

► Organization Model

► Organization Goals

► Products & Services

► Geographic Scope

► Organization Processes

2- Organization Structure

► Management Model

► Organization Structure

► Vendors/Partner/ Customer Relationships

► Acquisition Plans (Business)

3- Organization Strategies

► Business Priorities

► Project Growth and Strategy

► Legal Implications

► Tolerance for Risk

► TCO Objectives

4- IT Management

► Centralized/ Decentralized Management

► Funding Model

► Decision-making Process

► Change Management Process

1- Existing/Planned IT Environment

► Organization Size

► Resources Location

► Network Geographic Distribution and Links

► Available Bandwidth

► H/S Performance Requirements

► Data Patterns

► Network Roles and Responsibilities

2- Security Issues

► Existing Systems and Applications

► Technology Support Structure

► IP Infrastructure

► Authentication Services

► Mobility Issues

► Remote Workers

► External Connections

Solution Design

Castle Defense System

Defense Planning

Castle Defense System

Defense Planning

1- Critical Information

► Data Categorization

► Application Hardening

2- Physical Protection

► Physical Environment

► Physical Control

► Communications

► Surveillance

3- Operation System Hardening

► Security Configuration

► General Active Directory Security

► .NET Framework Security

► Internet Information Server

► System Redundancy

4- Information Access

► User Identification

► Security Policies

► Resource Access

► Role-based Access Control

► Access Auditing/ Monitoring

5- External Access

► Perimeter Networks

► Public Key Infrastructure

1 - Threat Assessment

► Attack Type Identification

► Proactive Response Strategies

► Reactive Response Strategies

2- Risk Assessment

► Risk Identification

► Risk Calculation

► Risk Prioritization

3- User Awareness

► Mandatory Training

► Communication Plans

► Technical Training Program

4- Monitoring Procedures

► Events to Monitor

► Monitoring Infrastructure

5- Attack Reaction Plans

► Incident Response Team

► Response Procedures

► Escalation Procedures

6- Recovery Program

► Core System Protection

► Backup Systems

► Restoration Procedures

7- Industry Watch

► Security Event Watch

► New Product Watch

► Product Upgrade Watch

Figure 8-3 The Enterprise Security Policy Design Blueprint

Was this article helpful?

+2 0

Responses

  • caden
    How to pass medieval castle defense 81?
    9 years ago

Post a comment