Firewall Wizards mailing list archives
Re: Defense in Depth to the Desktop
From: Chris Pugrud <cpugrud () yahoo com>
Date: Mon, 13 Dec 2004 15:40:17 -0800 (PST)
Fred, Thank you, I really enjoyed your write up as well. There is a lack of perspective history in the industry, maybe it comes from people coming up too quickly in it, or people being constantly inundated with the same old cycle of s**t. It's probably been 8 or 9 years since I've read Bellovin's book. I bought the second edition, but have yet to find the time to read it. I probably quoted "eggshell" both because I knew it was not fully correct and emphasize that I think that things have gotten worse, not better. It used to be that I had to hand roll firewalls for customers and they would complain about the minimal costs. Now they throw gobs of money at perimeter security and buzzword compliance but I can't get them to pay attention to making a reasonable attempt at locking down their internal systems. My latest quixotic quest is for bringing some of that well built perimeter protection hardware into the internal networks, so that the security of the internal organization is not solely reliant on application and operating system security controls. We need all of the above until we can find a reasonable way to define "allow good" and we can go back to a default deny policy. Chris --- Frederick M Avolio <fred () avolio com> wrote:
At 04:30 PM 12/13/2004 -0500, Paul D. Robertson wrote:Thisis the classic "eggshell" weakness of network security, hard andcrunchy ontheoutside, soft and chewy on the inside. The Strong Internal NetworkDefenseI don't think I'd use eggshell to denote hard ;)But I would. It's relatively hard compared to what's inside, but, asyou note ...And this is all an example of the loss of historical data we experience in network security. (I've ranted on it here: http://www.ianetsec.com/news/all_fc_avolio1.htm). Of course, it is not like an egg. It is like a candy bar that has a "crunchy shell around a soft, chewy center" (Cheswick describing the Bell Lab's network defense in "The Design of a Secure Internet Gateway." Fred
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Defense in Depth to the Desktop, (continued)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- RE: Defense in Depth to the Desktop Ben Nagy (Dec 07)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- RE: Defense in Depth to the Desktop Scott Stursa (Dec 11)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 11)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- Re: Defense in Depth to the Desktop Kevin Sheldrake (Dec 11)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 12)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 13)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 13)
- Re: Defense in Depth to the Desktop Frederick M Avolio (Dec 13)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 14)
- Re: Defense in Depth to the Desktop Devdas Bhagat (Dec 14)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 14)
- Re: Defense in Depth to the Desktop Devdas Bhagat (Dec 14)
- Re: Defense in Depth to the Desktop Frederick M Avolio (Dec 14)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 13)
- Re: Defense in Depth to the Desktop Marcus J. Ranum (Dec 14)