How to Build a Multi‑Layered Security Defense: Practical Ops Strategies

Foreword

The author introduces the theory of a layered security defense—often called depth defense—followed by practical insights drawn from over 20 years of operations experience.

1. Security Starts with Policies and Mechanisms

1.1 Policies and mechanisms are essential for safe production

Effective safety requires internal management structures and strict permission controls. The highest privileges should be split between two distinct accounts (A and B), where A handles account creation and permission assignment, while B is used only in emergencies.

1.2 Multiple accounts + permission separation

Separating a privileged account from a work account prevents accidental or malicious actions, mitigates insider threats, and reduces the impact of unknown vulnerabilities.

1.3 Practical case analysis

Scenario: In many enterprises, only one person holds the top‑level privilege, often a manager or owner, while outsourced staff perform routine maintenance.

Case analysis: A dedicated internal engineer should retain the highest privilege (B account) and only use it for account creation. Outsourced engineers receive a limited account (A) that can only create accounts and assign permissions, preventing misuse and insider attacks.

Real incident: Poor permission management at a cable TV provider allowed an disgruntled outsourced developer to exploit default credentials and deface the network, causing severe social impact.

2. Introduction to Multi‑Layered Security

Security should be implemented as a series of concentric defenses, similar to a wartime battlefield with multiple lines of protection, enabling “door‑to‑dog” (blocking attackers at the gate).

2.1 Grid‑based vulnerability management

Instead of a coarse patching grid, a spider‑web model is proposed: each vulnerability occupies a distinct cell, preventing the combination of multiple exploits. This approach buys time for patching while limiting rapid intrusion.

2.2 Spider‑web security system achieving “door‑to‑dog” effect

When a new vulnerability emerges, the system evaluates its severity and either patches it gradually or applies an urgent fix, ensuring controlled and manageable remediation.

3. Security Classification

Security can be categorized by topology, network, operating system, application, database, email, and storage layers, each requiring tailored safeguards.

3.1 Topology security

Separate application servers from the Internet. Direct exposure invites scanning and attacks.

Deploy web/application services and database services on different servers. Isolation reduces the attack surface.

Admin backend access must be isolated from regular user traffic. Use VPN or dedicated lines for management.

Classify and group network permissions. Segment networks by IP, protocol, and port.

Restrict public user access. Apply strict network‑level controls.

3.2 Network security

Network security includes external, internal, and switch protection.

3.2.1 External network

Principle 1: Minimize the number of devices connected to the Internet. Principle 2: Avoid logging into web servers directly; use secure methods. Principle 3: Security appliances themselves may have vulnerabilities; do not rely solely on them.

When integrating third‑party services (e.g., payment APIs), use strict IP and port whitelisting.

3.2.2 Internal network

Apply detailed firewall rules that specify source IP, destination IP, protocol, port, and request frequency. Default to deny and monitor for any rule changes.

3.2.3 Switch security

Disable web and Telnet access, enforce SSH with key‑based authentication, rotate certificates/passwords regularly, and segment switch accounts by role using VPN‑restricted IPs.

3.4 Operating system security

3.4.1 Linux

Minimal installation: Keep only essential packages (≈45 RPMs) to reduce the attack surface.

SSH hardening: Restrict allowed accounts, disable root login, limit retries, and use key authentication.

Disable editors for critical files: Use

sed

for modifications to retain audit trails.

ACL for file permissions: Fine‑grained control over file access.

Strict firewall policies: Limit login sources.

Account management: Enforce least‑privilege accounts and monitor logins in real time.

3.4.2 Windows

Install a minimal system, remove unnecessary GUI components.

Disable Guest, lower Administrator privileges, and enforce strong password policies.

Configure group policies and registry hardening.

Enable Windows Firewall and IPsec, regularly rotate passwords, and close unused ports.

3.5 Database security

Secure both the database server and the database software. Apply firewall rules, optimize kernel and DB parameters, and enforce least‑privilege accounts for each application. Avoid using the same credentials across multiple web servers; isolate accounts per service.

Key points: Separate server‑level security from application‑level security; never embed passwords in scripts; rotate credentials periodically; limit database access to specific IPs.

4. Common Security Misconceptions

Using security appliances alone solves all problems.

Security is solely the operations department’s responsibility.

Large companies are immune to security incidents.

If nothing has happened yet, the system is safe.

Security costs are too high; defer until funding is available.

One or two servers don’t require security design.

5. How to Do Security Well

Principle 1 – Awareness: Conduct regular inspections and investigate anomalies promptly.

Principle 2 – Empathy: Think like an attacker when designing defenses.

Principle 3 – Exploration: Continuously study vulnerability information and maintain respect for technology.

Principle 4 – Discipline: Enforce strict self‑control to avoid creating shortcuts for attackers.

6. Conclusion

Ten years to forge a sword, ten years to start, twenty years to advance.

Operations covers a vast knowledge domain—from DBA and monitoring to dedicated DevOps roles. Mastery typically requires a decade to reach entry level and two decades to become proficient. Even modest security measures dramatically improve resilience against hackers.