Republished with permission from
WatchGuard Technologies, Inc.
Containment Security: How to Keep an Attacker In
In The Da Vinci Code, Dan Brown shows how the Louvre, like many art museums, employs containment security. This security strategy emphasizes measures that prevent an intruder who has broken in from escaping with precious artwork. Containment security can work as a network security strategy, too. It helps prevent intruders from removing information assets from your organization's network, and it can also help prevent attackers from using the organization's network as a launch point for subsequent attacks.
Containment security is common in the physical realm. For example, businesses that deal with cash and valuable goods in high-crime neighborhoods use "man traps." The man trap has two doors, and only one can be opened at any time. This arrangement "contains" intruders in two ways. A party can enter the exterior door of the store but cannot pass through the interior door without permission. This gives the store owner an opportunity to inspect a party who enters the exterior door, and refuse entry if he chooses. It also contains a clever thief who managed to gain entry, by preventing him from making a hasty exit once he's "smashed and grabbed" jewelry or cash. Certain man traps are as effective as jail cells: the arrangement described in The Da Vinci Code seals all doors, and keeps the intruder locked in the museum until law enforcement agents arrived.
Containment Security in your network
The principles of containment security extend naturally into network security. We want to keep intruders out of our networks, but if they do manage to get in, we want to prevent them from stealing or doing harm to assets accessible via our networks. For example, we want to prevent unauthorized access to (and misuse of) sensitive information. We want to prevent misuse of bandwidth. We also want to prevent intruders from doing harm from our network. If we "good guys" are ever to get ahead of the broader attack curve, we must do more to prevent intruders from using our networks as a vector for Denial of Service attacks and as distributed hosts of spam and emails containing viruses.
Fortunately, many policies and measures you can implement will prevent intruders from doing harm to and from your network. Containment measures can be applied at many levels, and at locations throughout your network. Many can be implemented in Firebox X firewalls. Firebox X proxies are the data equivalent of a man trap: the packet doesn't move on until the proxy is done inspecting it.
What would containment security look like on your network? Here are sample ideas of egress traffic handling policies you might implement:
There is no set list of best practices for containment security. Your organization will have to decide what kinds of outbound traffic pose significant threats, and what types of information merit additional measures to prevent disclosure via outbound channels. Be creative. In some cases, containment measures may prevent your organization from embarrassment or a tarnished reputation.
Also, take the Da Vinci Code analogy with a grain of salt. Dr. Robert Langdon got one thing wrong. While taking in the Louvre crime scene and the containment measures that helped the curator leave his secret message, Langdon mused, "Forget about keeping them out. Keep them in." When securing your network, containment security is an additive measure. You can't afford to "forget about keeping them out;" you must do your best to repel attackers. But adding containment security helps you hedge your bet. ##
Author's Note: My tenure as a LiveSecurity columnist is coming to an end. For nearly six years, WatchGuard Technologies has provided me with enormous editorial latitude so that I could explore a multitude of security issues and take you, my audience,beyond firewalls. I've had the distinct pleasure of working with a very fine technical staff, an outstanding editor, and an appreciative audience. I cannot thank you enough for your positive feedback on so many of my columns, and wish you all great success in your future security endeavors. Please do keep in touch. I'm always reachable at firstname.lastname@example.org.
Copyrightę 2006, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.