What type of diversity is being implemented if a company is using multiple security products

3.7. Diversity of Defense

Diversity of defense is closely related to depth of defense but takes matters a bit further; it's the idea that you need not only multiple layers of defense, but different kinds of defense. Having a door lock and an ignition lock on a car is depth of defense; adding an alarm system creates not only depth but also diversity, by adding a completely different kind of defense. Now, you are not only trying to keep people from being able to use the vehicle, you're also trying to attract attention to people who're attacking it.

Properly implemented, diversity of defense makes a significant difference to the security of a system. However, many attempts to create diversity of defense are not particularly effective. A popular theory is to use different types of systems -- for instance, in an architecture that has two packet filtering systems, you can increase diversity of defense by using systems from different vendors. After all, if all of your systems are the same, somebody who knows how to break into one of them probably knows how to break into all of them.

Using security systems from different vendors may reduce the chances of a common bug or configuration error that compromises them all. There is a trade-off in terms of complexity and cost, however. Procuring and installing multiple different systems is going to be more difficult, take longer, and be more expensive than procuring and installing a single system (or even several identical systems). You're going to have to buy the multiple systems (at reduced discounts from each vendor because you're buying less from them) and multiple support contracts to cover them. It's also going to take additional time and effort for your staff to learn how to deal with these different systems.

If you're not careful, you can create diversity of weakness instead of diversity of defense. If you have two different packet filters, one of them in front of the other, then using different products will help protect you from weaknesses in either one. If you have two different packet filters, each separately allowing traffic to come in, then using different products will merely make you vulnerable to two different sets of problems instead of one.

Worse yet, all these problems caused by differences may not have bought you true diversity. Beware of illusionary diversity. Two systems with different company's names on the front may have more in common than you think:

• Systems of the same type (for instance, packet filters) share the inherent weaknesses of the technology.
• Systems configured by the same people are probably configured with the same weaknesses.
• Many different systems share the same code lineage -- code for things like TCP/IP protocol stacks is rarely written from scratch.
• It's not unusual for companies to simply resell other people's technology under their nameplates.

We'll look at each of these issues in the following sections.

3.7.1. Inherent Weaknesses

If an attack gets through your packet filters because it relies on subverting a theoretically safe protocol, it will go through any number of packet filters, regardless of who they're made by. In this case, true diversity of defense is backing up a packet filter with a proxy system, which has some hope of recognizing protocol problems.

What term describes a layered security approach that provides the comprehensive protection?

What process describes using technology as a basis for controlling the access and usage of sensitive data?

Which term is frequently used to describe the task of securing information that is in a digital format?

In what kind of attack can attackers make use of millions of computers under their control in an attack against a single server or network?