Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>in</strong>-depth manner. Defense-<strong>in</strong>-depth means that redundant protection systems are deployed so<br />
that if one or more protection systems are defeated by an attacker, the deployment is still<br />
protected by the rema<strong>in</strong><strong>in</strong>g viable systems.<br />
The NSA’s Information Assurance Technical Framework (IATF) [50] identifies the best current<br />
practice for secur<strong>in</strong>g network and <strong>in</strong>formation systems. This approach provides defense-<strong>in</strong>-depth<br />
protections at strategic locations with<strong>in</strong> a network deployment. Each of these strategic locations<br />
needs to have their own set(s) of security controls. These strategic defense locations <strong>in</strong>clude:<br />
• Defend the network perimeter (i.e., the AS).<br />
• Defend the enclave boundaries (e.g., communities of <strong>in</strong>terest with<strong>in</strong> the AS).<br />
• Defend each comput<strong>in</strong>g device.<br />
• Defend each application.<br />
Figures 14 and 15 show the defense and <strong>in</strong>-depth provisions at each strategic defense location.<br />
These provisions cumulatively form overlapp<strong>in</strong>g protection systems such that protection still<br />
exists even if an entire system fails. Specifically, applications are partially protected by OS<br />
protections. OS protections are partially protected by enclave protections. Enclave protections<br />
are partially protected by network defenses.<br />
Defend the Perimeter<br />
Defend the<br />
Enclave<br />
Defend the<br />
Computer<br />
Figure 14. Overlapp<strong>in</strong>g Defense-<strong>in</strong>-Depth IA Systems<br />
Defense-<strong>in</strong>-depth specifically means that redundant controls at each strategic defense location<br />
form a constituent part of the system design. For example, firewalls traditionally comprise part<br />
of a network’s perimeter defense protections. However, as section 4.1 has already expla<strong>in</strong>ed,<br />
there are three well-known attack vectors by which firewall protections can be defeated. For this<br />
reason, additional protections (e.g., VPNs, which can also function as enclave protections) are<br />
needed at the perimeter defense to ma<strong>in</strong>ta<strong>in</strong> network <strong>in</strong>tegrity if the firewall protections are<br />
defeated.<br />
53