Requirements for IPv6 Firewalls

• Previous message (by thread): Requirements for IPv6 Firewalls
• Next message (by thread): Requirements for IPv6 Firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Apr 18, 2014 at 7:06 PM, William Herrin <bill at herrin.us> wrote:
> On Fri, Apr 18, 2014 at 6:19 PM, Eugeniu Patrascu <eugen at imacandi.net> wrote:
>> Defense in depth, to my knowledge - and feel free to correct me, is to have
>> defenses at every point in the network and at the host level to protect
>> against different attack vectors that are possible at those point.
>
> And a heart attack is that you clutch your chest and fall over dead.
> You describe what defense in depth looks like, not what it is.
>
> Defense in depth is that you have a fence and a security guard and a
> spotlight. And a locked door, an alarm system and a safe too. But you
> don't just have the fence, the door and the safe, a single form of
> protection at each point. That would be a shallow defense.

Put more succinctly: depth isn't where you place the defenses, it's
how many defenses times the quality of each defense that an adversary
has to slip past. If an adversary has to bypass three defenses, that's
more shallow than if he has to bypass the same three and three more.
Whether all six are at the perimeter or half are at the perimeter two
are at the host and one is in the application is only indirectly
relevant to the depth of your defense.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

• Previous message (by thread): Requirements for IPv6 Firewalls
• Next message (by thread): Requirements for IPv6 Firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]