https://hackepedia.org/index.php?action=history&feed=atom&title=DefenseInDepthDefenseInDepth - Revision history2026-05-08T17:28:09ZRevision history for this page on the wikiMediaWiki 1.45.3https://hackepedia.org/index.php?title=DefenseInDepth&diff=2570&oldid=prevFranks: changed ssh case sensitivity2006-02-15T03:57:32Z<p>changed ssh case sensitivity</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 20:57, 14 February 2006</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>A common security practice is known as "defense in depth." This comes from a military term of the same name (See [[wikipedia:Defense_in_depth]] for historical details).</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>A common security practice is known as "defense in depth." This comes from a military term of the same name (See [[wikipedia:Defense_in_depth]] for historical details).</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The basic premise is to avoid a single point of failure when defending your systems and network against attackers. This typically means that network traffic must be allowed to pass through multiple checks, in multiple locations within your network. For example, an inbound [[<del style="font-weight: bold; text-decoration: none;">SSH</del>]] session must pass through many tests before the server process even starts the user authorization mechanism:</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The basic premise is to avoid a single point of failure when defending your systems and network against attackers. This typically means that network traffic must be allowed to pass through multiple checks, in multiple locations within your network. For example, an inbound [[<ins style="font-weight: bold; text-decoration: none;">Ssh</ins>]] session must pass through many tests before the server process even starts the user authorization mechanism:</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># Access control lists on the border [[router]].</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># Access control lists on the border [[router]].</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># One or more rules on a network firewall.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># One or more rules on a network firewall.</div></td></tr>
</table>Frankshttps://hackepedia.org/index.php?title=DefenseInDepth&diff=1896&oldid=prevHawson: Initial page2005-10-27T00:16:34Z<p>Initial page</p>
<p><b>New page</b></p><div>A common security practice is known as "defense in depth." This comes from a military term of the same name (See [[wikipedia:Defense_in_depth]] for historical details).<br />
<br />
The basic premise is to avoid a single point of failure when defending your systems and network against attackers. This typically means that network traffic must be allowed to pass through multiple checks, in multiple locations within your network. For example, an inbound [[SSH]] session must pass through many tests before the server process even starts the user authorization mechanism:<br />
# Access control lists on the border [[router]].<br />
# One or more rules on a network firewall.<br />
# In large networks, perhaps additional router and firewall ACLs.<br />
# A host-based firewall.<br />
# [[TCP Wrappers]], also running on the destination host.<br />
# Any additional application-level access controls (such as Allow/Deny rules in [[Apache]]).<br />
<br />
Once the network traffic has run this gauntlet of tests, the SSH session is allowed to actually begin, and the user may ''attempt'' to [[authenticate]].<br />
<br />
The advantage to using defense in depth is that multiple failures or misconfigurations are required to cause problems. If, for example, the border router has few, if any, restrictions on traffic flow, the network firewall, or host firewall, or tcpwrappers, or an application restriction can stop non-permitted traffic.<br />
<br />
The disadvantage, obviously, is that of complexity. Since the most common (and safest) policy is to [[DefaultDeny|deny everything not explicitly permitted]], each and every place that can restrict traffic must be correctly configured. This can be very frustrating during initial configurations.</div>Hawson