Topologies and IDS • Chapter 7  431

                 make great choices for creating a “defense in depth” strategy, but remember that
                 the more work the firewall is doing to support these other functions, the more
                 chance there is that these additional tools may impact the throughput of the fire-
                 wall device.

                 Figure 7.3 A Sample Firewall Rule Set
















                   Using a Defense-in-Depth Strategy
                   The defense-in-depth strategy specifies the use of multiple layers of net-
               Head of the Class…  measure deployed on your network. In other words, to eliminate the
                   work security. In this way, you avoid depending on one single protective

                   false feeling of security because you implemented a firewall on your
                   Internet connection, you should implement other security measures such
                   as an IDS, auditing, and biometrics for access control. You need many
                   levels of security (hence, defense in depth) to be able to feel safe from
                   potential threats. A possible defense-in-depth matrix with auditing
                   included could look like the graphic in Figure 7.4.

                 Figure 7.4 A Graphical Representation of Defense in Depth


                                                   Security Policy

                                               Auditing and Access Control

                                                     Firewall
                                                    IDS System













                                                                              www.syngress.com