Have they stopped teaching Defense in Depth?

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Nov 16 08:01:56 CST 2011


On Wed, 16 Nov 2011 08:36:21 EST, Jay Ashworth said:
> ----- Original Message -----
> > From: "Jimmy Hess" <mysidia at gmail.com>
> 
> > Or, the attack is against a legitimate user's outbound connection, for example:
> > a user behind the firewall connects to a web site, a vulnerability
> > in their browser is exploited
> > to install a trojan -- the trojan tunnels to the attacker over an
> > outgoing port that is allowed on the firewall.
> 
> Oh, certainly; I have lots of web browsers running on my servers.
> 
> All The World Is Not A Workstation, guys.

Is there *anything* on the allegedly protected subnet that has a web browser
running on it?  Maybe that laptop on the crash cart that you use for
downloading firmware and installing it on storage appliances?  If it's a
corporate-sized NAT, do you have any desktops that have network reachability to
the servers (probably do - if the desktops can't reach the servers, the servers
aren't useful are they?) and also have web browsers that go to the outside
world?

I compromise an ad server someplace.  Bob over in Accounting visits the CPA forum
on the accountants-r-us.com website looking for suggestion on how to handle
a tax issue.  I now have control of Bob's workstation, and the question of whether
your firewall does NAT or not just became totally moot.

Defense in depth doesn't mean building a second Maginot Line behind the first
is a good idea - it means you *also* have a capable army that will stop a
German invasion coming in via Belgium.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20111116/56c615c6/attachment-0001.bin>


More information about the NANOG mailing list