Defense in Depth
Defense in Depth is a layered security strategy that implements multiple security controls at different network layers and locations - because no single security measure is foolproof, and attackers who breach one layer will face additional barriers.
- Core principle: Assume breach will occur somewhere - design overlapping defenses so failure of one control doesn’t compromise entire network
- Think of it like a medieval castle: outer walls, moat, inner walls, keep - each layer forces attackers to overcome multiple obstacles
- Modern networks apply this by securing perimeter, internal segments, endpoints, applications, and data simultaneously
Key Defense Layers
- Perimeter Security: Firewalls, IPS/IDS at network edge (traditional “castle wall” approach)
- Network Segmentation: VLANs, subnets, internal firewalls to limit lateral movement
- Endpoint Protection: Antivirus, host-based firewalls, device hardening
- Access Control: Authentication (who you are), authorization (what you can do), accounting (what you did)
- Application Security: Input validation, secure coding, application firewalls
- Data Protection: Encryption at rest and in transit, data loss prevention (DLP)
Implementation Strategy
- Redundant Controls: Multiple technologies protecting same assets (for example, network firewall + host firewall + application controls)
- Diverse Technologies: Different vendors/approaches to avoid single points of failure
- Detection AND Prevention: Preventive controls (firewalls) combined with detective controls (monitoring/logging)
- Fail Secure: When controls fail, default to deny rather than permit
Vocabulary
| Term | Definition |
|---|---|
| Lateral Movement | Attacker technique of moving through network after initial compromise to reach high-value targets |
| Zero Trust | Modern security model assuming no implicit trust - verify everything, everywhere |
| Attack Surface | Total sum of vulnerabilities and entry points available to attackers |
| Security Posture | Overall cybersecurity strength of organization across all layers |
Common CCNA Defense Technologies
| Layer | Technology | Purpose | Example Use Case |
|---|---|---|---|
| Perimeter | ASA Firewall | Block unauthorized traffic | Deny internet access to internal servers |
| Network | 802.1X | Port-based authentication | Authenticate devices before network access |
| Endpoint | Host Firewall | Local traffic filtering | Block unnecessary services on workstations |
| Application | WAF | Web application protection | Filter SQL injection attempts |
| Data | IPSec | Encrypt network traffic | Secure site-to-site VPN tunnels |
Real-World Example
Small office network might implement:
- Internet firewall (perimeter)
- Separate VLANs for users/servers/guests (segmentation)
- 802.1X for wireless access (access control)
- Endpoint antivirus (host protection)
- Encrypted backup to cloud (data protection)
Critical Rule: Defense in depth is not about having the most security tools - it’s about having the right combination of controls that work together effectively
Notes
- Budget Reality: Start with highest-impact, lowest-cost controls first (patch management, basic firewalls, user training)
- Complexity Warning: Too many security layers can impact performance and usability - balance security with operational needs
- Monitoring Gap: Having multiple security tools is useless without proper monitoring and incident response procedures
- Exam Tip: CCNA focuses on network-layer defenses (firewalls, ACLs, VPNs) rather than endpoint or application security
- Military Parallel: Just like military defense positions have multiple fallback lines, networks need multiple security perimeters
- Remember: Defense in depth assumes attackers will eventually get through some defenses - the goal is making attack so difficult and detectable that most give up or get caught