148 CHAPTER 7 Establishing Secure Enclaves IPS devices (NIDS and NIPS), router Access Control Lists (ACLs), application monitors, and/or similar security products--all of which can and should be config- ured to isolate the defined members of an enclave. While perimeter defense is important, the enclave interior must also be secured to protect the enclave against inside attacks and/or an attack that somehow circum- vents the established perimeter defenses (such as walking malware into a control system using a physical device, or injecting malware from outside of the control system using an unknown access point or vulnerability). Interior defenses consist primarily of host security systems, such as Anti-Virus, Anti-Malware, Host IDS (HIDS), and application whitelisting systems. As with perimeter defenses, internal defenses should be configured in concert with the authorized parameters of estab- lished and documented enclaves. While this chapter will cover the identification of an enclave as well as the methods of perimeter and asset defense, it is also important to define the expected behavior of an enclave and to monitor all activities within each enclave--both for the obvious alerts that might be generated by perimeter and host security products and for behavioral anomalies within the enclave. Baselining enclave activity is cov- ered in Chapter 8, "Exception, Anomaly, and Threat Detection," while monitoring