Deep theater defense

We all know perimeter firewalls are necessary but not sufficient. But what's the right strategy for building additional layers of security? Greg Machler dives in.

As an executive, do you ever get worried wondering if your corporate brand is properly protected from a lack of technological integrity? Corporations today have sensitive HR data, financial data, and often consumer data. If this data is compromised, often the outside world finds out about it, lawsuits are initiated and the corporate brand is tarnished. This could lead to consumers thinking twice about purchasing your products or services.

In the case of retail organizations, how does one effectively protect customer credit card data? Consider deploying an IT architecture that information security professionals call a deep-theater defense. Let's investigate the design of this protective architecture:

Also see "Virtualization, cloud computing and the PCD DSS"

First, put sensitive data in a second-tier of firewall segments behind the main corporate firewalls. This second-tier firewall and corresponding network shields sensitive applications and their data from being easily accessed if the Web-facing firewalls are breached.

For example, many national retailers sell groceries and have a pharmacy. It would be wise to deploy at least five firewall/network segments: one for HR data, one for financial data, one for credit card PCI (Payment Card Industry) data, one for pharmacy (HIPAA) data, and one for services that the other segments shared.

The segment containing services that are shared could contain common support services such as network and systems management, encryption and PKI functions, access control services, and security event management functions. Another architectural implementation that protects corporations from internal data theft is the creation of a tunneling access protocol. Often, critical systems are accessed by administrators and outside vendors.

It is important that all access to these applications be logged so that if an internal data breach occurs, the source can be discovered. It is important that the second-tier firewall close its administrative port access so that administration can only be initiated from the segment for common services. One wants to prevent access from administrative tools that exist in front of the second-tier firewalls.

Applications need to be ported behind the deep theater second-tier firewalls. Where does one start?

I recommend starting with the application design document, first. It gives you a big-picture understanding of what business need the application performs, how it is logically designed, and which protocols it uses. It is important to focus on all the systems the application interacts with. It is important to also determine which portions of the application will be deployed behind the second-tier firewall. Some portions of the application may be out-of-scope.

Secondly, your security team will have a variety of information collected about the application: what data is sensitive, how and which tools are used to encrypt the data, and penetration testing results if it is a Web-facing application. This security review gives the information security team a level of confidence in how well the data is protected. This leads to them signing off on the initial information security design. A small aside, due to the ever-increasing need to protect Web applications properly, it may be necessary for the industry to start certifying applications before they are deployed on the Web. This enables consumers to have a level of confidence in using your application, without being compromised by phishing.

Thirdly, I recommend creating a protocol diagram showing all servers and their IP addresses, the protocols and protocol (TCP or UDP) ports being used. This network view specifically shows which servers need to talk to each other and which protocols (ports) they will use to do it. It is not necessary to include switches, routers, and other network infrastructure components because the protocols/ports just ride over them.

If the protocol diagram is thorough, it should be a simple step to create the firewall rules. Firewall rules are made up of source and destination IP (Internet Protocol) addresses, protocol used, and ports that ride on top of those protocols. For example, one may open a hole in the firewall to enable an administrator to use SSH (Secure Shell), which uses port 22 on TCP (Transmission Control Protocol). The SSH application may be executed form a server in the common services segment and talk to hundreds of destination servers (the firewall allows one to create server groups) in the various second-tier segments.

In summary, executives can feel more at peace if their critical applications and corresponding data are protected via a deep-theater defense. Segmented applications use common techniques to protect similar types of corporate data. Common services exist in one of the segments that can be shared by all segmented applications.

This architecture protects the applications more thoroughly because it requires fewer firewall holes to be created between services behind the first-tier firewalls and the second-tier firewalls. Tracked administrative access ensures that administrators are held accountable for accessing data on the systems they manage. Lastly, a variety of documentation should be created and/or reviewed to make sure that the porting of applications behind the second-tier deep-theater defense firewalls goes well.

Machler is an independent IT architect/marketing consultant focused on IT and product solutions that intersect both marketing and engineering. Reach him at

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
How much is a data breach going to cost you?