BGP and Firewalls...

-Hammer- bhmccie at
Thu Dec 8 14:24:29 UTC 2011

     While I understand that the definition has nothing to do with IT 
Security there is no question that many folks use the phrase to 
summarize a layered IT security model.

Edge routers with ACLs to filter white noise go to edge L3/4 firewalls 
to filter their layer go to load balancers to terminate SSL (not really 
security I know) which go to L7 firewalls to inspect HTTP just to get to 
the web server. Then you have the whole layered DMZs for the 
WEBs/APPs/DBs/inside etc. We employ "defense in depth" and everyone is 
familiar with the concept even if they are using the phrase incorrectly. 
And our wonderful federal auditors expect it and call it the same thing.


"I was a normal American nerd"
-Jack Herer

On 12/07/2011 09:43 PM, Dobbins, Roland wrote:
> On Dec 8, 2011, at 1:36 AM, Leo Bicknell wrote:
>> I don't think you're looking at defense in depth in the right way,
> Actually, it sometimes seems as if nobody in the industry understands what 'defense in depth' really means, heh.
> 'Defense in depth' is a military term of art which equates to 'trading space for time in order to facilitate attrition of enemy forces'.  It does not have any real relevance to infosec/opsec; unfortunately, its original meaning has been corrupted and so it is widely (and incorrectly) used in place of the more appropriate 'combined arms approach' or 'jointness' or 'mutual support' or 'layered defense' metaphors.  Hannibal's tactics at Cannae are generally cited as the canonical (pardon the pun) example of actual military defense in depth.
> ;>
> -----------------------------------------------------------------------
> Roland Dobbins<rdobbins at>  //<>
> 		The basis of optimism is sheer terror.
> 			  -- Oscar Wilde

More information about the NANOG mailing list