Defense-in-depth refers to a security strategy composed of multiple, independent layers of security controls that continue to operate even if one layer fails or is compromised. It typically includes different types of security controls, such as people, technology, and operations. Layering these controls can help ensure attacks not mitigated at one point during data processing are blocked by another control layer in the same system.

There are many ways to achieve a defense-in-depth strategy. When it comes to technology components, we recommend starting with three items:

  1. Denial-of-service (DoS) protection – Deploy DoS protection to block DoS attacks so they can’t overwhelm your apps, ensuring a better and more predictable customer experience. DoS protection works best when deployed globally at the perimeter to ensure that all applications, APIs, and services – as well as other traffic management and security tools – are covered. For optimum effectiveness, the DoS solution also blocks distributed denial-of-service (DDoS) attacks, which leverage a large number of bots or compromised systems to direct a high volume of traffic at a specific web property, application, or one or more IP addresses.
  2. Web application firewall (WAF) – Deploy a WAF between the DoS protection layer and your load balancer or Ingress controller. A WAF protects against sophisticated Layer 7 attacks, such as the OWASP Top 10 vulnerabilities. The WAF must support custom configurations you define for specific use cases while also providing strong out-of-the-box default protections set up for developers who may not be as sophisticated in security practices.
  3. Authentication and authorization – Ensure your traffic management tools – such as load balancers, API gateways, and Ingress controllers – are properly configured to authenticate and authorize all requests for access to applications and infrastructure. This is especially important in Kubernetes and microservices-oriented environments where services are loosely coupled and communicate via APIs that may be externally accessible as well. Creating robust, continuous authentication processes, including certificate authorities and, when human-exposed, multi-factor authentication (MFA) reduces attack surface by ensuring that the validity of any connection is continuously challenged and verified.

How Can F5 NGINX Help?

Diagram depicting eight types of attacks blocked by NGINX App Protect WAF and DoS