Internet Edge and Defense in Depth
rsk at gsp.org
Thu Jan 5 09:22:55 CST 2012
On Tue, Dec 06, 2011 at 01:44:05PM -0800, Jonathan Lassoff wrote:
> Cramming every little feature under the sun into one appliance makes for
> great glossy brochures and Powerpoint decks, but I just don't think it's
1. It's an excellent way to create a single point-of-failure.
2. I prefer, when building defense-in-depth, to build the layers with different
technology running on different operating systems on different architectures.
There's no doubt this adds some complexity and that it requires judicious
design to be scalable, maintainable, and so on. But it raises the bar
for attackers considerably, and it gives defenders a fighting chance of
discovering a breach in one layer before it becomes a breach in all layers.
3. One of the mistakes we all continue to make, whether we have our
paws on integrated appliances or separate systems, is default-permit.
We really need to make sure that the syntactic equivalent of "deny
all from any to any" is the first rule installed in any of these,
and then work from there.
p.s. In re Powerpoint, I've long held that the appropriate response to
"I have a PowerPoint presentation..." is for everyone else in the room
to find a strong rope and a sturdy tree, and do what must be done for
the sake of humanity.
More information about the NANOG