RE: Castles and Security (fwd)

[twaszak () Telenisus com]

The castle analogy is a useful one.  Though there may be other analogies
that may be more accurate, I think most of us would be hard pressed to find
one that is as easy for non-technical people to understand.  The point of
the castle analogy (IMHO) should be to demonstrate how systems and policies
interact, are interelated, and supportive to provide adequate security.  I
find it most useful to illustrate the holistic concept of information
security.  I see non-technical, management, and security ignorant people's
faces light up with understanding when I use this analogy.  Besides everyone
likes castles.  I don't think references to the fact that the Maginot Line
and Eben-Emael were dispatched so easily detract at all from the utility of
the castle analogy. These two events help to illustrate how poor planning
and assumptions equat to bad security and disasterous results.  If the
castle analogy is used to describe a firewall, it is being used (IMHO)
incorrectly.  The firewall isn't the castle, the firewall is a component of
the castle.  A firewall alone equates to a hilltop defense.  Ask Custer how
well that worked;-)
Lastly, castles, like good security, never gauranteed 100% results.  The
point was to make it cost more than the the attacker was willing to pay.

-----Original Message-----
From: Jürgen Nieveler [mailto:Juergen.Nieveler () arxes de]
Sent: Tuesday, January 02, 2001 10:40 AM
To: 'Lance Spitzner'; firewall-wizards () nfr com
Subject: RE: [fw-wiz] Castles and Security (fwd)


> I recently answered an extremely interesting question concerning
> the comparison of castles to network security.  Below is
> the email, I'm interested in any feedback.

Just my 0.02 EUR:

The problem with this comparison is that unlike the defenders of castles and
fortresses, firewall admins aren't allowed to use heavy artillery :-)

As a firewall admin, all you can do is watch the hackers attack your
network, and if they find a whole you can fix it.

Oh, and while we're on the topic of "undefeatable fortresses": The belgian
government believed that making a mountain into a gun-armed fortress with
lots of bunkers, howitzers etc. would really be undefeatable even back in
the 1930s and up to WW2. They had layered defenses, machine gun pillboxes
etc, so that it was impossible to go anywhere near that fortress without
being seen and shot at (whith values of "near" measured in km).

Then WW2 came, and the fortress had to surrender in a few hours to an
attacking force of only 72 men who landed ON TOP of the fortress and blew up
the guns one by one. More info on Fort Eben-Emael can be found here:
http://www.fort-eben-emael.be/

Mit freundlichen Grüßen / Yours sincerely

Juergen Nieveler
EncreasE AG
UB eCommerce
Tel.: +49/241/16008-327
Fax:  +49/241/16008-354
Email: juergen.nieveler () arxes de
Web: www.encrease.de
PGP: 
2AAB A988 0B80 D53F FC53  3BED 8CC0 2092 922D 8378 (DH)
5ADF A15E 91E4 98DB  2391 0D29 8B08 A884 (RSA)
Disclaimer: Views are mine, not my employers´ 


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards