RE: Castles and Security (fwd)

["Stiennon,Richard" <richard.stiennon () gartner com>]

And, speaking of paradigms gone wrong, I advice against thinking that arms
control ever stopped terrorists.  The thought that network tools of any sort
can be regulated effectively or is even justifiable is one that has to be
stopped now before our legislators get led down that path. 

-Richard Stiennon

-----Original Message-----
From: Marcus J. Ranum [mailto:mjr () nfr com]
Sent: Wednesday, January 03, 2001 2:21 PM
To: twaszak () Telenisus com; Juergen.Nieveler () arxes de;
lance () spitzner net; firewall-wizards () nfr com
Subject: RE: [fw-wiz] Castles and Security (fwd)



> I don't think references to the fact that the Maginot Line
> and Eben-Emael were dispatched so easily detract at all from the utility of
> the castle analogy.

Just a mention - the Maginot Line was quickly dispatched the _first_
time. The second time (when Allied troops were heading into Germany)
it was a formidable obstacle that cost a lot of effort to overcome. There
was nothing wrong with the defenses, only with how the French manned them.
Or, perhaps, there was nothing wrong with how the French manned them -
it's just that there was something _more_ _right_ about how the Germans
attacked them. A new form of rightness. This is also analogous to incidents
I've seen where a perfectly good firewall was ineffective because it was
installed
"backwards" or otherwise wrong.

Eben Emael's a more interesting case - a paradigm shift in the power
of a particular offensive weapon mooted a fortress that was expected
to hold a lot longer than it did. There are analogies to the way in which
whole suites of public-key-based systems were discovered to be
vulnerable to timing attacks.

In terms of analogy, though, I see the security space as closer to a pure
terrorist/counterterrorist play than a castle defense. Thinking in terms of
castles encourages the listener to assign a greater level of organization
and motivation to the attacker(s) than I think is often justified. Hackers
are much closer to non-ideological/random terrorists picking targets of
opportunity than to an organized army trying to storm a castle. The
dynamics of defense (and offense) are also closer to those in terrorism: the
"good guys" don't really have a perimeter and must successfully defend a
nearly infinite space that is internal as well as external. The enemy is not
clearly identified by flags and banners but it indistinguishable from the
local civilian populace except to the degree to which they carry weapons.
It's the latter point that got me on my recent train of thought that hacking
tools/cyberweapons will eventually become regulated: they have to be
because possession of cyberweapons is one of the few targeting indicators
that might identify an enemy. Indeed, I believe that the targeting problem
will overweigh most of the other problems in the security space, just as
it has in terrorism/counterterrorism. So the dynamics at present are that
the good guys must defend an infinitely large squishy target, while the bad
guys can choose weak points at will, walk up to them, and act with an
initiative advantage in both time and technique. This is also a very
different situation than the castle analogy!!! Indeed, fighting a targeted
attacker when you're in a static defense is funadamentally doable. Fighting
the same way against terrorists if fundamentally futile.

While I really like arguing by analogy (I do it all the time!) I think it's
important to put a lot of thought into whether or not the underlying
paradigms match -- using an analogy that reinforces a mismatched
paradigm is doing no favors to anyone. Please consider this:
        It's precisely this manner of adapting one's thoughts into
        inaccurate paradigms that produces the Maginot Lines and Eben
        Emaels.

mjr.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards