The standard for network security in many law firms follows a “crunchy on the outside, chewy on the inside” approach — organizations tend to focus on perimeter security, protecting the “us” versus “them.”  Although the perimeter is an important part of network security, similar to the moat around a castle, it is not enough to focus most, or all, of one’s defenses in this area.  Just as the medieval castle also had turrets for archers, a portcullis at the gate and a fortified inner wall, firms seeking to enhance their security, mitigate risks and meet regulatory compliance need to establish multiple layers of network security.

Determine What to Protect
The first step in creating a defense-in-depth model for network security is to examine what needs to be protected.  Firms should determine where the most valuable information assets are stored, how they are accessed and by whom.  Then examine what impact it would have on the firm if the information were compromised, deleted or stolen.  Once the values have been established, you can determine where security can be added or enhanced.

How to Protect the Important Assets
There are many areas where security can be augmented and added to an enterprise network.  One should consider the following areas when creating a defense-in-depth model:

Multiple firewalls

Multiple vendor products

Host- and network-based solutions

High availability where possible

Layering the Defenses
Once firms have an understanding of what they are protecting, zones of trust can be established.  Just as the military and intelligence communities operate on a “need to know” basis, so too should network security.  For example, a firm might choose to segregate networks and servers into separate subnets, with accounting in one, paralegals and the least sensitive client and legal data in another, the firm’s attorneys in another, and the senior partners and management in yet another.  By compartmentalizing the groups, greater control over the information flow and access to data can be achieved.  Additionally, attempts to access information can be logged, with details on events available for auditing and compliance reports.  To implement this division, a firewall could contain many network adapters, but a better approach is to use multiple firewalls; by doing so, maintenance windows, attacks and other system events don’t affect the entire organization.

But segregation, perhaps by using multiple firewalls, is but one approach.  In addition to deploying multiple firewalls to control access between one or more networks, firms may also want to consider deploying firewalls from different vendors.  By doing so, a compromise or vulnerability in one vendor’s implementation will likely not cause the unraveling of the entire security architecture.  The same principle applies to antivirus, URL filtering, intrusion detection/prevention and virtual private networks (VPNs).

With antivirus and intrusion detection/ prevention, as well as firewalls, host- and network-based options are available.  Both should be deployed, as they enhance the layers of defense available to the firm.  The attorneys and other employees should have antivirus software on their PCs, as well as personal firewalls, VPN client software and possibly host-based intrusion detection systems (IDS).  A firm could mitigate virus risk, for example, by having Norton AntiVirus on the PCs, yet use Trend Micro or Sophos as a gateway solution to provide virus protection at the server and network level.  By doing so, an administrator can improve the chances that at least one of the vendors will have a signature for a new virus in time to prevent an outbreak.  Also, by using a gateway product in addition to desktop antivirus, the risk of an outbreak is lessened even in the event that a user disables a desktop version.

Security is commonly thought of as a necessary evil where implementation is a trade-off versus convenience and ease of use.  It’s important as a firm adds layers to their defenses to ensure that the business processes — court filings, document management of depositions, etc. — are unaffected.  Therefore, they should use high-availability solutions wherever possible.  For example, firewall and VPN gateways can often be made redundant, whether in a basic hot standby solution or full clusters performing load balancing.  Antivirus and URL filtering systems can also be made redundant for performance and availability by using third-party load balancing or clustering solutions.

Other Considerations
Although leading security practices from The SANS Institute and CERT, among others, suggest layered defenses, there are impacts to a firm’s IT department.  The importance of determining the value of what you are protecting comes into play as one weighs the need for enhanced security.  Multiple vendor solutions, high availability and other options will provide much better security, but they will also add complexity to network management and increase overall IT costs.

Conclusion
A defense-in-depth approach to network security, replacing the outdated perimeter model, can greatly enhance a firm’s security posture and mitigate risks to reputation, client information and the firm’s assets.

About our author . . .

Mark Boltz is a senior security consultant with Stonesoft, an innovator in business continuity and network security solutions. Mark can be reached at Mark.Boltz@stonesoft.com.