-Specific Security ">
Server-Specific security is an extension of the layered model with access control for each server. A policy rules set is provided for each server to define which users have access and which are to be denied. With precise granularity, this individually locks down important data held in each server. This is considered "intrusion prevention" and it provides the highest level of security against unintended access.
There is no "trusted network" within the perimeter gateway or between resources. The perimeter does not define a common set of rules for all servers, and multiple holes in the gateway do not provide an avenue of entry to protected server systems. Each server has a unique policy designed to allow access solely for its function and presents only one hole to the inside, or the outside.
The strategy is no different than placing layers of protection in banks, museums, government buildings, or even homes. Even with the most efficient border patrol and police, no bank could survive long without armed guards, outside doors with locks, motion detectors, cameras, locked or guarded areas inside, or vaults with safe deposit boxes. This, along with government audits and monitoring of bonded employees, protects the banks assets.
Who would put their valuables in a bank where the cash sat on a shelf in a locked closet and where there were hundreds of similar keys issued to employees? Who would do the same with corporate data? Surprise, we do all the time!
Saying it differently for emphasis: Server-Specific Security focuses intrusion prevention at the target of an attack, not at the presumed point of entry. It operates with existing defenses to further enhance protection from the outside. It can provide for encryption of data by establishing VPN connections across the corporate intranet to cripple snoopers on the common network. Placing a firewall on each server prevents access to a given server, except by defined users from an authorized terminal. It scales easily, because each added server function provides a custom and properly-sized level of protection to its needs and capacity.
An example of the layered approach includes firewalls installed at the perimeter, and VPN access to protect mail and other sensitive data communications. Each critical corporate data server would have individual rules, and Server-Specific firewalls allow controlled access to files and data in all servers, while other participants would have access only to the data needed to do their job.
For example, the summer intern would have access to help desk files, but be prohibited from access to customer lists, go-to-market plans, engineering designs, or even e-mail. Sales might have access to mail and customer data, but be excluded from information about upcoming products in the engineering server. Perhaps the CEO and CFOs team would be the only ones with VPN access to financial and employee data. All might implement FireDoor (explained shortly) for worm containment. With a dedicated firewall limiting port services, a WAP connection is now effectively on its own DMZ, and can only see the Internet in this example. Other services and servers can be opened to the WAP by changing its dedicated firewall policy.
Server-Specific Security may define encrypted VPN paths between authorized users to given servers. An open termination is no longer useful to snoop data from the common LAN. While it works with existing perimeter defenses and detection to enhance external protection, Server-Specific Security is the only positive means that can thwart an attack mounted from the inside!