Internet Edge and Defense in Depth

Mike Andrews mikea at
Thu Jan 5 15:33:15 UTC 2012

On Thu, Jan 05, 2012 at 10:22:55AM -0500, Rich Kulawiec wrote:
> On Tue, Dec 06, 2011 at 01:44:05PM -0800, Jonathan Lassoff wrote:
> > Cramming every little feature under the sun into one appliance makes for
> > great glossy brochures and Powerpoint decks, but I just don't think it's
> > practical.
> 1. It's an excellent way to create a single point-of-failure.
> 2. I prefer, when building defense-in-depth, to build the layers with different
> technology running on different operating systems on different architectures.
> There's no doubt this adds some complexity and that it requires judicious
> design to be scalable, maintainable, and so on.  But it raises the bar
> for attackers considerably, and it gives defenders a fighting chance of
> discovering a breach in one layer before it becomes a breach in all layers.
> 3. One of the mistakes we all continue to make, whether we have our
> paws on integrated appliances or separate systems, is default-permit.
> We really need to make sure that the syntactic equivalent of "deny
> all from any to any" is the first rule installed in any of these,
> and then work from there.
> p.s. In re Powerpoint, I've long held that the appropriate response to
> "I have a PowerPoint presentation..." is for everyone else in the room
> to find a strong rope and a sturdy tree, and do what must be done for
> the sake of humanity.

"Power corrupts. PowerPoint corrupts absolutely."

As regards avoidance of SPOFs, I also prefer multiple layers in different
technologies &c. A monoculture is horribly vulnerable. I grant that network
hardware isn't exactly Ireland just before the potato famine, but the
parallels are there and applicable in at least some senses.

Mike Andrews, W5EGO
mikea at
Tired old sysadmin 

More information about the NANOG mailing list