Defending anything isn’t easy. From geopolitical borders to closely-held opinions, humans will defend that which is theirs or that which assists them in achieving a goal. To varying degrees, citizens, governments, and companies must all take a serious approach to their cyber-security practices. For this article, I will be focusing on companies.

捍卫一切都不容易。 从地缘政治边界到根深蒂固的观点，人类将捍卫属于自己的或协助实现目标的事物。 公民，政府和公司都必须在不同程度上认真对待其网络安全实践。 对于本文，我将重点介绍公司。

According to the 2014 paper from Kholekile L. Gwebu and others, companies lose on average 22.54% in the following year after a data breach is announced. That number, the paper, nor does anyone else take into account the effectiveness or speed of the company’s incident response plan. All that matters to people is that their data may have been stolen. After a breach, the only thing that matters is that it happened. This is why a pre-attack policy and strategy must be implemented. Preparing for an attack and not having one is better than not preparing and possibly losing everything.

根据Kholekile L. Gwebu等人在2014年发表的论文，在宣布数据泄露后的第二年，公司平均损失22.54％。 该数字，本文以及其他任何人都未考虑公司事件响应计划的有效性或速度。 对人们而言，最重要的是他们的数据可能已被盗。 违反之后，唯一重要的是它发生了。 这就是为什么必须实施攻击前的政策和策略的原因。 准备攻击而不进行攻击比不准备并且可能丢失所有东西要好。

This is where a Defense in Depth (DiD) strategy comes into play. DiD is a layered security approach that looks at an attack surface as a 3-dimensional object versus the traditional single point of entry. DiD is a multi-layered approach to defending your environment and ensuring your safety from different attack vectors across your attack surface.

这就是深度防御(DiD)策略发挥作用的地方。 DiD是一种分层的安全性方法，将攻击表面视为3维对象，而不是传统的单个进入点。 DiD是一种多层方法，可保护您的环境并确保整个攻击面上的不同攻击媒介的安全。

Implementing DiD isn’t as simple as Sudo apt-get install defense-in-depth. No, the strategy known as Defense in Depth is an idea that incorporates the use of different protection methods across the surface. Some articles have explained DiD as a locked door that, when opened, leads to another locked door with a different key, which leads to another locked door with a different key. This approach to the explanation is straightforward, but is a bit misleading. It implies the second locked door is of similar weaknesses. DiD is the use of many security tools or mechanisms that prevents an attack from using the same exploit multiple times.

实施DiD并不像Sudo apt-get install-in-depth那样简单。 不，被称为“深度防御”的策略是一种在表面上结合使用不同保护方法的想法。 一些文章将DiD解释为一扇锁着的门，当打开时，它会通向另一把带有不同钥匙的锁着的门，而锁到另一把带有不同钥匙的锁着的门。 这种解释的方法很简单，但是有点误导。 这意味着第二扇上锁的门也有类似的弱点。 DiD是许多安全工具或机制的使用，可以防止攻击多次使用同一漏洞利用程序。

If we had a network of all windows devices (this is uncommon, but lets imagine) ranging from edge to endpoint, a single exploit in the Windows OS could allow unauthorized access to each level of the network. A DiD approach to a network would involve a firewall behind another firewall, both of different brands, to prevent the exploitation of one leading to access of the other. After the firewall, then we could implement our Windows Server, not publicly facing of course. On endpoints, we place anti-virus or anti-intrusion software to once again reduce the attack surface by minimizing the number of threat vectors.

如果我们拥有从边缘到端点的所有Windows设备的网络(这是罕见的，但可以想象)，则Windows操作系统中的一个漏洞利用可能允许未经授权的访问网络的每个级别。 DiD网络方法将在另一个防火墙(位于两个不同品牌的防火墙)后方涉及一个防火墙，以防止利用其中一个导致访问另一个。 在防火墙之后，我们可以实施我们的Windows Server，这当然不是公开的。 在端点上，我们放置了防病毒或防入侵软件，以通过最小化威胁向量的数量来再次减少攻击面。

The same strategy can be applied in any scenario. If you are working on a cloud-based app, you can utilize tools installed on the server OS, hosting partner provided tools, and proper network configuration to give the security of the application a layered approach. Using Ubuntu on AWS, for example, we can implement a software firewall on the device OS, allowing only expected traffic. We can implement security groups to ensure the device can only be sent traffic it expects. We can implement Network ACL’s to ensure only expected senders can send traffic. Finally, we can implement subnet routing to ensure our devices are only talking with devices in our desired subnet.

可以在任何情况下应用相同的策略。 如果您使用的是基于云的应用程序，则可以利用服务器操作系统上安装的工具，托管合作伙伴提供的工具以及适当的网络配置，为应用程序的安全性提供分层的方法。 例如，使用AWS上的Ubuntu，我们可以在设备OS上实施软件防火墙，仅允许预期的流量。 我们可以实现安全组，以确保仅向设备发送预期的流量。 我们可以实施网络ACL，以确保只有预期的发送者才能发送流量。 最后，我们可以实现子网路由，以确保我们的设备仅与所需子网中的设备通信。

There are 1000 and 1 different solutions to implementing a Defense in Depth strategy, many are right and many are wrong. We want to secure both vertically and horizontally within an environment to ensure that each practice has a layered security approach, and that all practices are properly secured. We should act according to the age-old saying of “You are only as strong as your weakest link”

实施深度防御策略有1000种和1种不同的解决方案，其中许多是正确的，许多是错误的。 我们希望在一个环境中垂直和水平地保护环境，以确保每种做法都具有分层的安全性方法，并且所有做法都得到了适当的保护。 我们应该按照古老的话说：“您只有最薄弱的一环才有力量”