Home page logo

nanog logo nanog mailing list archives

Re: BGP and Firewalls...
From: -Hammer- <bhmccie () gmail com>
Date: Thu, 08 Dec 2011 08:24:29 -0600

While I understand that the definition has nothing to do with IT Security there is no question that many folks use the phrase to summarize a layered IT security model.

Edge routers with ACLs to filter white noise go to edge L3/4 firewalls to filter their layer go to load balancers to terminate SSL (not really security I know) which go to L7 firewalls to inspect HTTP just to get to the web server. Then you have the whole layered DMZs for the WEBs/APPs/DBs/inside etc. We employ "defense in depth" and everyone is familiar with the concept even if they are using the phrase incorrectly. And our wonderful federal auditors expect it and call it the same thing.


"I was a normal American nerd"
-Jack Herer

On 12/07/2011 09:43 PM, Dobbins, Roland wrote:
On Dec 8, 2011, at 1:36 AM, Leo Bicknell wrote:

I don't think you're looking at defense in depth in the right way,
Actually, it sometimes seems as if nobody in the industry understands what 'defense in depth' really means, heh.

'Defense in depth' is a military term of art which equates to 'trading space for time in order to facilitate attrition of enemy forces'.  It does not have any real 
relevance to infosec/opsec; unfortunately, its original meaning has been corrupted and so it is widely (and incorrectly) used in place of the more appropriate 'combined arms 
approach' or 'jointness' or 'mutual support' or 'layered defense' metaphors.  Hannibal's tactics at Cannae are generally cited as the canonical 
(pardon the pun) example of actual military defense in depth.


Roland Dobbins<rdobbins () arbor net>  //<http://www.arbornetworks.com>

                The basis of optimism is sheer terror.

                          -- Oscar Wilde

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]