Re-Thinking Defense in Depth

Not to be too much of a contrarian, but I have to look at all "truisms" and question them.

Every security punndit in the world talks about Defense in Depth. It is usually invoked to justify having multiple platforms to provide network security. But let's face it. Firewalls are better today than they were in the old TIS toolkit days. They don't have major holes in them. The idea of having two firewalls in series from different manufactureres is just not practised any more. The key factors for choosing a firewall are the ability to segment networks (creating multiple "zones") and be able to load balance firewalls to ensure throughput and uptime.

Every enterprise practises "defense in depth" when it comes to anti-virus though. Desktop, mail server and gateway. At one time it was necessary to use different vendors so that you could be assured of getting the latest virus attack with one of these layers. But today most AV vendors get new signatures out with the first several hours of an attack. Let's face it,gateway AV is all about off-loading the Microsoft Exchange Server. This mission critical server is one of the most difficult and fragile links in the IT chain. If a second vendor's box can protect it from the onslaught of email (and spam) during an outbreak then it is a good investment. Desktop AV will always be needed for Windows systems.

My contention is that Defense in Depth is less about rings of walls and moats and more about defending different protocol layers. Firewalls for layer 2. WA firewalls for HTTP, etc.