Internet Edge and Defense in Depth

Thu Jan 5 15:33:15 UTC 2012

On Thu, Jan 05, 2012 at 10:22:55AM -0500, Rich Kulawiec wrote:
> On Tue, Dec 06, 2011 at 01:44:05PM -0800, Jonathan Lassoff wrote:
> > Cramming every little feature under the sun into one appliance makes for
> > great glossy brochures and Powerpoint decks, but I just don't think it's
> > practical.
> 
> 1. It's an excellent way to create a single point-of-failure.
> 
> 2. I prefer, when building defense-in-depth, to build the layers with different
> technology running on different operating systems on different architectures.
> There's no doubt this adds some complexity and that it requires judicious
> design to be scalable, maintainable, and so on.  But it raises the bar
> for attackers considerably, and it gives defenders a fighting chance of
> discovering a breach in one layer before it becomes a breach in all layers.
> 
> 3. One of the mistakes we all continue to make, whether we have our
> paws on integrated appliances or separate systems, is default-permit.
> We really need to make sure that the syntactic equivalent of "deny
> all from any to any" is the first rule installed in any of these,
> and then work from there.
> 
> p.s. In re Powerpoint, I've long held that the appropriate response to
> "I have a PowerPoint presentation..." is for everyone else in the room
> to find a strong rope and a sturdy tree, and do what must be done for
> the sake of humanity.

"Power corrupts. PowerPoint corrupts absolutely."

As regards avoidance of SPOFs, I also prefer multiple layers in different
technologies &c. A monoculture is horribly vulnerable. I grant that network
hardware isn't exactly Ireland just before the potato famine, but the
parallels are there and applicable in at least some senses.

-- 
Mike Andrews, W5EGO
mikea at mikea.ath.cx
Tired old sysadmin 