Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security vs. Simplicity

From: Daniel Miessler <daniel () dmiessler com>
Date: Wed, 27 May 2009 10:18:50 -0400
On Mon, May 25, 2009 at 5:14 PM, Craig S. Wright
<craig.wright () information-defense com> wrote:


Your "simple" network is in fact far more complex than many larger systems.
In your example, you have touted an Integrated Firewall. Far from
simplifying the issue, a single host with all in one features is extremely
complex. Far more so than 6 individual system
(IPS/IDS/Firewall/AV/Logging/Router) based networks.

The integration of functions on a single host increases the attack footprint
and likelihood of error.


This is absolutely correct. The same sort of thing can be seen with
people recommending all-in-one VMware deployments with 50 virtual NICs
and three different trust zones on the same host.

People argue this is more "simple" because it's one place to go to
configure everything, but simplicity doesn't always come from reducing
the number of actors. It more accurately comes from being intuitive
and cognitively manageable by humans, which is precisely what these
complex, all-in-one solutions are not.

-- 
Daniel R. Miessler
W: http://dmiessler.com/
E: daniel () dmiessler com
P: 510 585 9143
G: 0xD4A8FFF6

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: