misunderstanding scale

• Previous message (by thread): misunderstanding scale
• Next message (by thread): misunderstanding scale
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mar 24, 2014, at 9:20 AM, William Herrin <bill at herrin.us> wrote:

> On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer <kauer at biplane.com.au> wrote:
>> Addressable is not the same as
>> accessible; routable is not the same as routed.
> 
> Indeed. However, all successful security is about _defense in depth_.
> If it is inaccessible, unrouted, unroutable and unaddressable then you
> have four layers of security. If it is merely inaccessible and
> unrouted you have two.

That is, frankly, so gross an oversimplification as to be not only misleading, but
outright inaccurate in many cases.

When considering defense in depth, layer thickness counts as much or more
than number of layers.

unroutable and unaddressable (which NAT and RFC-1918 arguably don’t actually
provide in reality) are roughly equivalent to a slide-lock on a screen door in front
of a stateful inspection bank vault door in front of an unrouted iron-bar day-door
inside the vault.

I would argue that the value added by the screen door and its associated slide lock
is near zero in the total equation.

Further, since the reality is that NAT and RFC-1918 can be exploited by the attackers
to help hide their identity and obscure their activities, they are actually not added
depth, but in fact erode the actual security. Further, since it is such a widely held
misperception that they provide security, there’s probably a certain amount of
negative impact due to the complacency and lack of vigilance that creates as well.

Owen

• Previous message (by thread): misunderstanding scale
• Next message (by thread): misunderstanding scale
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]