Home page logo

nanog logo nanog mailing list archives

Re: BGP and Firewalls...
From: Cameron Byrne <cb.list6 () gmail com>
Date: Wed, 7 Dec 2011 20:13:12 -0800

On Dec 7, 2011 7:49 PM, "Dobbins, Roland" <rdobbins () arbor net> wrote:

On Dec 8, 2011, at 1:36 AM, Leo Bicknell wrote:

I don't think you're looking at defense in depth in the right way,

Actually, it sometimes seems as if nobody in the industry understands
what 'defense in depth' really means, heh.

On a personal note , it is one of my least favorite terms because it is
overused and generally used by people selling things, and defense in depth
means throw eveything and the kitchen sink at the problem instead of
matching threats / risks / vulnerabilities with security controls and
threat mitigation and management.

Defense in depth = blank check , in too many instances

Yes, layers of security are good.

No, a car with mattresses strapped to both ends is not safer to drive.


'Defense in depth' is a military term of art which equates to 'trading
space for time in order to facilitate attrition of enemy forces'.  It does
not have any real relevance to infosec/opsec; unfortunately, its original
meaning has been corrupted and so it is widely (and incorrectly) used in
place of the more appropriate 'combined arms approach' or 'jointness' or
'mutual support' or 'layered defense' metaphors.  Hannibal's tactics at
Cannae are generally cited as the canonical (pardon the pun) example of
actual military defense in depth.


Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

               The basis of optimism is sheer terror.

                         -- Oscar Wilde

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]