LAYERED NETWORK SECURITY:
A best-practices approach
Prepared by:
Mitchell Ashley
VP of Engineering & CIO
Latis Networks, Inc.
January 2003
Reducing your risk has never been this easy.
StillSecure
TM
White paper
© 2003, Latis Networks, Inc. All rights reserved.
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Increasing the hacker’s work factor . . . . . . . . . . . . . . . . . . . . . . . . .2
The layered-security model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Level 1: Perimeter security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Pros: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Considerations: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Level 2: Network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Level 3: Host security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Level 4: Application security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

270
Louisville, CO 80027
P: [303] 381- 3800
F: [303] 381- 3880
www.stillsecure.com
© 2002-2003 Latis Networks, Inc. All rights reserved. Latis, the Latis logo, StillSecure and the StillSecure logo
are trademarks of Latis Networks, Inc. All other trademarks are the property of their respective owners. The
products and services listed may not be available in all regions.
INTRODUCTION
Network security is now a mission-critical concern for enterprises,
government agencies, and organizations of all sizes. Today’s
advanced threats from cyber-terrorists, disgruntled employees,
and hackers demand a methodical approach to network security.
In many industries enhanced security is not an option — it’s
mandatory. Recently enacted federal regulations require organiza-
tions such as financial institutions, health care providers, and
key federal agencies to implement stringent security programs to
protect digital assets.
This paper introduces you to a layered approach for securing your
network. The layered approach is both a technical strategy,
espousing adequate measures be put in place at different levels
within your network infrastructure, and an organizational strategy,
requiring buy-in and participation from the board of directors
down to the shop floor.
The layered-security approach centers on maintaining appropriate
security measures and procedures at five different levels within
your IT environment:
1. Perimeter
2. Network
3. Host

don’t live in an ideal world. As such, you should evaluate your net-
work — how it is used, the nature of the data stored, who requires
access, its rate of growth, etc. — and then implement a blend of
security measures that provides the highest level of protection
given your available resources.
THE LAYERED-SECURITY MODEL
Figure 1 presents the layered-security model and some of the
technologies that function at each level. These technologies are
discussed in more detail in the sections that follow.
Layered Network Security: A best-practices approach
2 of 10
StillSecure
TM
© 2003 Latis Networks, Inc. All rights reserved.
Figure 1. The security levels in the layered approach and the technologies that function on each.
Security level
Applicable security measures
• Firewall
• Network-based anti-virus
• VPN encryption
• Intrusion detection /prevention system (IDS/IPS)
• Vulnerability assessment (VA) tools
• Access control /user authentication
• Host IDS
• Host VA
• Anti-virus
• Access control/user authentication
• Host IDS
• Host VA
• Access control/user authentication

the inside and the outside of the network perimeter (see Figure 2).
A firewall performs three general functions; 1) traffic control, 2)
address translation, and 3) VPN termination. The firewall performs
traffic control by examining the source and destination of all incom-
ing and outgoing network traffic; it ensures that only permissible
requests are allowed through. Additionally, firewalls help secure the
network by translating internal IP addresses to IP addresses that are
visible to the Internet. This prevents the disclosure of critical infor-
mation about the structure of the network inside the firewall. A
firewall can also terminate VPN tunnels (discussed below.) These
three capabilities make a firewall an indispensable part of your net-
work security.
• Network-based anti-virus — Installed in the DMZ, network-based
anti-virus software compares incoming and outgoing email message
content to a database of known virus profiles. Network-based anti-
virus products block infected email traffic by quarantining suspicious
and infected email messages and then notifying recipients and
administrators. This prevents email infected with a virus from enter-
ing and spreading across your network, and it prevents your net-
work from spreading virus-infected email. Network-based anti-virus
is a complement to anti-virus protection performed on your email
server and individual desktop computers. To work effectively, the
database of known viruses must be kept up to date.
• VPN — A virtual private network (VPN) uses high-level encryption
to create a secure connection between remote devices, such as
laptops, and the destination network. It essentially creates an
encrypted ‘tunnel’ across the Internet, approximating the security
and confidentiality of a private network. A VPN tunnel can termi-
nate on a VPN-enabled router, firewall, or server within the DMZ.
Enforcing VPN connections for all remote and wireless network

The types of devices located in your DMZ are also an important
factor. How critical are these devices to your business? The higher
the criticality, the more stringent security measures and the policies
that govern these devices must be.
LEVEL 2: NETWORK SECURITY
The network level of the layered-security model refers
to your internal LAN and WAN. Your internal network
may include desktops and servers or may be more
complex with point-to-point frame relay connections
to remote offices. Most networks today are fairly open behind the
perimeter; once inside, you can travel across the network unim-
peded. This is especially true for most small- to medium-size
organizations, which makes them tempting targets for hackers
and other malicious individuals.
The following technologies provide security at the network level:
• Intrusion detection systems (IDSs) and intrusion prevention
systems (IPSs) — IDS and IPS technologies analyze traffic moving
across your network in much greater detail than your firewall.
Similar to anti-virus systems, IDS and IPS devices analyze traffic
and compare each packet to a database of known attack profiles.
When attacks are detected, these technologies take action. IDS
tools alert your IT staff that an attack has occurred; IPS tools go
a step further and automatically block the harmful traffic.
IDSs and IPSs have many characteristics in common. In fact,
most IPSs have an IDS at their core. The key difference between
the technologies is implied by their names: IDS products only
detect malicious traffic, while IPS products prevent such traffic
from entering your network. Standard IDS and IPS network
configurations are show in Figure 3.
Layered Network Security: A best-practices approach

managed to provide maximum security throughout the network.
PROS
IDS, IPS, and VA technologies perform sophisticated analyses on
network threats and vulnerabilities. Where your firewall allows
or disallows traffic based on its ultimate destination, IPS and IDS
tools conduct a much deeper analysis and, therefore provide a
higher level of protection. With these advanced technologies,
attacks embedded in ‘legitimate’ network traffic, which can get
through a firewall, will be identified and potentially terminated
before damage occurs.
VA tools automate the process of checking your network for
vulnerabilities. Performing such checks manually — with the fre-
quency required to ensure security — would be highly impractical.
Also, networks are dynamic. New devices, application upgrades
and patches, and adding and removing users can all introduce
new vulnerabilities. VA tools allow you to scan your network
frequently and thoroughly for newly introduced vulnerabilities.
CONS
Intrusion detection systems (IDSs) have a tendency to produce
numerous false alarms, also referred to as false positives. While
an IDS will likely detect and alert you of an attack; such informa-
tion could be buried under a mountain of false positive or trivial
data. IDS administrators can quickly become desensitized to the
sheer volume of data produced by the system. To be effective,
an IDS must be closely monitored and continually fine-tuned
to the usage patterns and vulnerabilities discovered in your envi-
ronment. Such maintenance typically consumes a fair amount
of administrative resources.
The level of automation within intrusion prevention systems (IPSs)
can vary significantly among products. Many must be carefully

when set inappropriately, can create exploitable security holes.
These parameters include registry settings, services (applications)
operating on the device, or patches to the operating system or
important applications.
The following technologies provide security at the host level:
• Host-based intrusion detection systems (IDSs) — Host-based
IDSs perform similarly to network IDSs — the key difference being
that they monitor traffic on a single network device. Host-based
IDSs are fine-tuned to the specific operational characteristics of
the host device and therefore provide a high degree of protection
when properly administered.
• Host-based vulnerability assessment (VA) — Host-based VA
tools scan a single network device for security vulnerabilities.
Host-based VA tools are fine-tuned to the devices they monitor.
They are extremely accurate and make minimal demands on the
host’s resources. Because they are configured specifically for the
host device, they provide an excellent level of coverage when
properly administered.
Layered Network Security: A best-practices approach
5 of 10
StillSecure
TM
© 2003 Latis Networks, Inc. All rights reserved.
• Anti-virus — Device-specific anti-virus applications provide an
additional layer of protection when used in conjunction with
network-based anti-virus tools.
• Access control/authentication — Access control measures at the
device level are a best-practice that ensures device access is grant-
ed to authorized users only. Again, there is likely to be a high level
of interaction between network access-control measures and host

shortcomings in the software, yet you may be powerless to correct
them.
Applications are being placed on the Web for access by customers,
partners or even remote employees with increasing frequency.
These applications, such as sales force, customer relationship
management, or financial systems, can provide a ready target to
individuals with malicious intent. Therefore, it is especially
important to impose a comprehensive security strategy for on each
network application.
The following technologies provide security at the application level:
• Application shield — An application shield is frequently referred
to as an application-level firewall. In ensures that incoming and
outgoing requests are permissible for the given application.
Commonly installed on Web servers, email servers, database
servers, and similar machines, an application shield is transparent
to the user but highly integrated with the device on the backend.
An application shield is finely tuned to the host device’s expected
functionality. For example, an application shield on an email server
would likely be configured to prohibit an incoming mail message
from automatically launching any executables, because that is not
a typical or necessary email function.
• Access control/authentication — Like network- and device-
level authentication, only authorized users are able to access the
application.
• Input validation — Input validation measures verify that
application input traveling across your network is safe to process.
Although this is crucially important for Web-based input, any
interaction between people and a user interface can produce
input errors or be exploited if the proper security measures are
not in place. In general, any interactions with your Web server

allows you to implement security measures in a controlled way
as your network grows and avoids the additional expenses that
retrofitting will likely require.
Layered Network Security: A best-practices approach
6 of 10
StillSecure
TM
© 2003 Latis Networks, Inc. All rights reserved.
LEVEL 5: DATA SECURITY
Data-level security entails a blend of policy and encryp-
tion. Encrypting data where it resides and as it travels
across your network is a recommended best practice
because, if all other security measures fail, a strong
encryption scheme protects your proprietary data.
Data security is highly dependent on organization-wide policies
that govern who has access to data, what authorized users can
do with it, and who has ultimate responsibility for its integrity and
safekeeping. Determining the owner and the custodian of the data
lets you identify the appropriate access policies and security meas-
ures that should be applied.
The following technologies provide security at the data level:
• Encryption — Data encryption schemes are commonly implemented
at the data, the application, and the operating-system levels.
Almost all schemes involve encryption/decryption keys that all
parties accessing the data must have. Common encryption strate-
gies include PKI, PGP, and RSA.
• Access control/authentication — Like network-, and host-, and
application-level authentication, only authorized users are given
access to the data.
PROS

BORDER GUARD: Protects you from the cost of malicious attacks
Latis Networks developed the StillSecure Border Guard family of
IPS products to protect networks from attack and, through a high
level of automation, reduce the IT resources required to operate
a secure network. Operating on both the perimeter and the net-
work levels of the layered security model, the Border Guard family
can protect a variety of network architectures and includes:
Border Guard Standard — Border Guard Standard works in concert
with your existing firewall to block attacks.
Border Guard Gateway — Border Guard Gateway, which has
traffic-blocking functionality built in, is ideal for perimeter defense
and for securing traffic behind the firewall, such as extranet con-
nections to satellite offices and suppliers.
Border Guard Wireless — Border Guard Wireless is designed
specifically for wireless networks. It prevents intruders from
compromising your network through notoriously insecure wireless
access points.
Border Guard products plug the most dangerous security holes
on your network. Each product:
• Automatically blocks incoming attacks using Dynamic Attack
Suppression
TM
technology, which reduces IT man-hours spent
on security and protects your network 24/7/365.
• Includes automatic rule updates, ensuring protection and
eliminating the need to manually research and integrate the latest
attack profiles.
• Learns to gauge the response to suspicious traffic, greatly reducing
the number of false positives.
•Provides detailed reporting to satisfy management and auditors.

vulnerabilities, but to manage and validate the vulnerability
repair process as well. VAM comprises three integrated products:
Server VAM — scans servers, routers, switches, and firewalls.
Desktop VAM — scans for vulnerabilities specific to desktops,
laptops, and printers.
Remote VAM — scans Internet-visible servers, routers, switches,
and firewalls.
Collectively, VAM products assess and manage vulnerabilities on
all segments of your network. Figure 6 shows a typical VAM
installation. Each VAM product includes:
• Exclusive Intelliscan
TM
technology, which automatically determines
which scan rules are appropriate for each device.
• The built-in VAM Vulnerability Repair Workflow
TM
.
• Automatic scan rule updates.
•Variable scanning frequency based on device importance.
• Detailed reporting to meet the needs of IT staff, management,
and auditors.
• Easy-to-use, entirely Web-based interface.
VAM effectively addresses many of the threats that the firewall
is incapable of detecting. Through its regularly scheduled and
automated scanning process, VAM identifies any vulnerabilities
introduced by mobile devices or through risky practices such as
application downloads, instant messaging, and peer-to-peer
connections. It also scans for vulnerabilities inherent in third-party
applications, which hackers readily seek to exploit.
VAM’s comprehensive vulnerability database, which can be updated

Unauthorized internet services available
Virus detection
been seen as one-dimensional products used and understood only
by network specialists. Server VAM introduces much-needed man-
agement tools to VA technology, transforming VA from a solely
technical process to a business process vital to an organization’s
success.
DEFENDING AGAINST COMMON THREATS AND ATTACKS
Figure 6 demonstrates how the layered-security approach protects
against common threats and attacks. The figure shows how each
level plays a key role in contributing to comprehensive, effective
network security. The shaded regions indicate where Border Guard
and VAM products function in the layered-security model. The
common threats presented in Figure 6 include:
• Web server attacks — Web server attacks encompass a wide
variety of problems with nearly every Web server available.
From simple page defacement, to remote system compromise, to
a complete denial of service (DOS), Web server attacks are one
of the most common attacks today. Code Red and Nimda are well
known Web server attacks.
Layered Network Security: A best-practices approach
9 of 10
StillSecure
TM
© 2003 Latis Networks, Inc. All rights reserved.
Figure 6. A typical StillSecure VAM installation. All three VAM products can be installed on a single machine and managed from one user
interface. The shading indicates the coverage each VAM product provides.
Figure 7. Each level contributes to the security of your network. Functioning on levels 1 to 4, StillSecure products defend against
these common threats and others, as the shaded regions indicate.
Border Guard Wireless

P
D
D
D
D
D
D
P = Prevents.
Border Guard prevents the attack.
D = Detects.
VAM detects the enabling vulnera-
bility and prevents attack through
remediation.
1. Perimeter
2. Network
3. Host
4. Application
5. Data
• Unauthorized internet mail relaying — Improperly configured
Internet email servers are a common cause of email spam. Many
spam-generating companies specialize in finding these servers
and send hundreds if not thousands of spam messages through
them.
• System-level remote host compromise — A number of vulnerabili-
ties provide an attacker with remote control of the compromised
system. Most often this type of remote control is at the system
level, giving the attacker the same privileges as the local system
administrator.
• Unauthorized P2P / IM usage — Most corporations have in
place an acceptable-use policy that prohibits the use of peer-

Layered Network Security: A best-practices approach
10 of 10
StillSecure
TM
© 2003, Latis Networks, Inc. All rights reserved.