Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Heterogeneity as a form of obscurity, and its usefulness
From: Crispin Cowan <crispin () immunix com>
Date: Mon, 25 Aug 2003 10:03:00 -0700

Eric Greenberg wrote:

Heterogeneity has played a major role in disastor and recovery designs for
as long as I can remember (that would be the past 20 years). Equally so, I

Be *very* careful here: security is fundamentally different from fault tolerance. FT needs to defeat random, independent faults, and heterogeneity helps. Security needs to defeat an intelligent adversary, and the adversary can defeat two heterogeneous systems with approximately twice the effort of defeating a single system. The defender, in turn, has to spend approximately twice the effort to deploy dual heterogeneous systems as to deploy a single system.

I argue that it is worse than that, because the effort to defeat two heterogeneous systems is somewhat *less* than double that of a single system (because the attacker can exploit common design and implementation failures) and the effort to deploy & operate dual heterogeneous systems is somewhat *more* than double that of a single system (because the defender must account for both consistency and incompatibility).

Once again, it is not that heterogeneity doesn't work. It's that for the goal of defending a single resource, it is not as cost-effective as due diligence & best practices, such as properly employed authentication, firewalls, and secure operating systems.

Crispin

--
Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
Chief Scientist, Immunix       http://immunix.com
           http://www.immunix.com/shop/



  By Date           By Thread  

Current thread:
  • Re: Heterogeneity as a form of obscurity, and its usefulness Crispin Cowan (Aug 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault