Firewall Wizards mailing list archives
RE: Castles and Security (fwd)
From: "Stiennon,Richard" <richard.stiennon () gartner com>
Date: Wed, 3 Jan 2001 12:01:10 -0500
And, speaking of paradigms gone wrong, I advice against thinking that arms control ever stopped terrorists. The thought that network tools of any sort can be regulated effectively or is even justifiable is one that has to be stopped now before our legislators get led down that path. -Richard Stiennon -----Original Message----- From: Marcus J. Ranum [mailto:mjr () nfr com] Sent: Wednesday, January 03, 2001 2:21 PM To: twaszak () Telenisus com; Juergen.Nieveler () arxes de; lance () spitzner net; firewall-wizards () nfr com Subject: RE: [fw-wiz] Castles and Security (fwd)
I don't think references to the fact that the Maginot Line and Eben-Emael were dispatched so easily detract at all from the utility of the castle analogy.
Just a mention - the Maginot Line was quickly dispatched the _first_ time. The second time (when Allied troops were heading into Germany) it was a formidable obstacle that cost a lot of effort to overcome. There was nothing wrong with the defenses, only with how the French manned them. Or, perhaps, there was nothing wrong with how the French manned them - it's just that there was something _more_ _right_ about how the Germans attacked them. A new form of rightness. This is also analogous to incidents I've seen where a perfectly good firewall was ineffective because it was installed "backwards" or otherwise wrong. Eben Emael's a more interesting case - a paradigm shift in the power of a particular offensive weapon mooted a fortress that was expected to hold a lot longer than it did. There are analogies to the way in which whole suites of public-key-based systems were discovered to be vulnerable to timing attacks. In terms of analogy, though, I see the security space as closer to a pure terrorist/counterterrorist play than a castle defense. Thinking in terms of castles encourages the listener to assign a greater level of organization and motivation to the attacker(s) than I think is often justified. Hackers are much closer to non-ideological/random terrorists picking targets of opportunity than to an organized army trying to storm a castle. The dynamics of defense (and offense) are also closer to those in terrorism: the "good guys" don't really have a perimeter and must successfully defend a nearly infinite space that is internal as well as external. The enemy is not clearly identified by flags and banners but it indistinguishable from the local civilian populace except to the degree to which they carry weapons. It's the latter point that got me on my recent train of thought that hacking tools/cyberweapons will eventually become regulated: they have to be because possession of cyberweapons is one of the few targeting indicators that might identify an enemy. Indeed, I believe that the targeting problem will overweigh most of the other problems in the security space, just as it has in terrorism/counterterrorism. So the dynamics at present are that the good guys must defend an infinitely large squishy target, while the bad guys can choose weak points at will, walk up to them, and act with an initiative advantage in both time and technique. This is also a very different situation than the castle analogy!!! Indeed, fighting a targeted attacker when you're in a static defense is funadamentally doable. Fighting the same way against terrorists if fundamentally futile. While I really like arguing by analogy (I do it all the time!) I think it's important to put a lot of thought into whether or not the underlying paradigms match -- using an analogy that reinforces a mismatched paradigm is doing no favors to anyone. Please consider this: It's precisely this manner of adapting one's thoughts into inaccurate paradigms that produces the Maginot Lines and Eben Emaels. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Castles and Security (fwd) Lance Spitzner (Jan 02)
- Re: Castles and Security (fwd) Talisker (Jan 02)
- Re: Castles and Security (fwd) Darren Reed (Jan 02)
- <Possible follow-ups>
- RE: Castles and Security (fwd) Jürgen Nieveler (Jan 02)
- RE: Castles and Security (fwd) twaszak (Jan 03)
- RE: Castles and Security (fwd) Marcus J. Ranum (Jan 03)
- Re: Castles and Security (fwd) Crist Clark (Jan 03)
- RE: Castles and Security (fwd) Marcus J. Ranum (Jan 03)
- Re: Castles and Security (fwd) Antonomasia (Jan 03)
- RE: Castles and Security (fwd) Stiennon,Richard (Jan 03)
- RE: Castles and Security (fwd) Security Related (Jan 03)
- RE: Castles and Security (fwd) Marcus J. Ranum (Jan 03)
- Re: Castles and Security (fwd) Crispin Cowan (Jan 03)
- RE: Castles and Security (fwd) Marcus J. Ranum (Jan 03)
- RE: Castles and Security (fwd) Lance Spitzner (Jan 03)
- Re: Castles and Security (fwd) Darren Reed (Jan 03)
- Re: Castles and Security (fwd) John McDermott (Jan 03)
- Re: Castles and Security (fwd) Darren Reed (Jan 03)
- Re: Castles and Security (fwd) M.Schubert (Jan 04)
- Re: Castles and Security (fwd) Darren Reed (Jan 03)
- Re: Castles and Security (fwd) Darren Reed (Jan 03)