Firewall Wizards mailing list archives
Re: Castles and Security (fwd)
From: "M.Schubert" <schubert () fsck org>
Date: Thu, 4 Jan 2001 01:34:57 -0800
Darren Reed Wrote:
Other details such as whether or not such a person should be installing software, does it fall within the security policy, etc, are also relevant but peripheral to the point I was making: people will follow the path of least resistance to get in, regardless of whether that is through the front door or over the WAN. If all paths have the same amount of "resistance" then you should be able to feel comfortable with your security. If you have a security dude watching everyone come in your front door, you should have a security dude watching everyone come in over the internet. It might also mean that any access to the president's computer needs to be ok'd with the secretary (or equivalent thereof) or at home, you'd need to get their spouse's ok. That sort of thing is what I mean.
Basically you've come back to the "a chain is only as strong as it's weakest link" cliche, but you are correct. People just fail to see this over-used analogy in the grand scheme of things. Why implement heavy physical security when one can just utilize poor network security. And why bother breaking in via the computer network when one can just utilize an unlocked door, window... fool the secretary... etc. I think we need to remember that the greatest castle in the world is useless without men to man the fort so to speak. Marcus mentioned in another message (if I may just slop together my various opinions into one email :-) that in today's e-commerce, one can not just "close the gates" on one's server when under attack. This is a rather nasty problem that I have not foreseen any software able to solve. Pulling the plug is an option for highly-sensitive information, home users and non-essential services but not for e-bay. I think the ideas of defenses have been established well enough in this thread but I'm wondering as to what you people feel about _counter-measures_. Unfortunatly, all of the common ones (automated blocking of ip's and subnets) are all too easy to be abused by an attacker and become more harmful than good. If I may stretch this idea of counter-measures further... its very similiar to the concept of criminal laws... you break a law and the justice system will invoke a counter-measure, a punishment. (and now I go off on a bit of a rant :-) These are deterrents! Defenses in your network are simply obstacles to overcome just like the locks on your doors are merely something a thief must overcome. They do not deter the criminal, they merely _delay_ the criminal. I'm sure one could suggest we have harsher deterrents (read: laws) against breaking into systems but I'm wondering what deterrents can be implemented in software and hardware? Actual, tangible, counter-measures. Not more layers of defense. Not obstacles. Now if I may return to the whole castle analogy just for the sake of completeness I'd like to point out that it is not the high castle walls nor the strong, tricky or trap doors that deterr the mongol horde from attacking your network.... its the army of archers sitting ontop of those walls and behind those doors waiting to shoot the hapless fool to break in. It is the deterrents which will thwart an enemy not the obstacles. -- -- M. Schubert - mschuber () uci edu -- Security Specialist - michaels () lightspeedsystems com -- Sys Admin - schubert () fsck org _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Castles and Security (fwd), (continued)
- Re: Castles and Security (fwd) Crist Clark (Jan 03)
- Re: Castles and Security (fwd) Antonomasia (Jan 03)
- RE: Castles and Security (fwd) Stiennon,Richard (Jan 03)
- RE: Castles and Security (fwd) Security Related (Jan 03)
- RE: Castles and Security (fwd) Marcus J. Ranum (Jan 03)
- Re: Castles and Security (fwd) Crispin Cowan (Jan 03)
- RE: Castles and Security (fwd) Marcus J. Ranum (Jan 03)
- RE: Castles and Security (fwd) Lance Spitzner (Jan 03)
- Re: Castles and Security (fwd) Darren Reed (Jan 03)
- Re: Castles and Security (fwd) John McDermott (Jan 03)
- Re: Castles and Security (fwd) Darren Reed (Jan 03)
- Re: Castles and Security (fwd) M.Schubert (Jan 04)
- Re: Castles and Security (fwd) Darren Reed (Jan 03)
- Re: Castles and Security (fwd) Darren Reed (Jan 03)
- Re: Castles and Security Title Randy Grimshaw (Jan 04)
- RE: Castles and Security (fwd) daN. (Jan 03)
- RE: Castles and Security (fwd) Marcus J. Ranum (Jan 04)
- Re: Castles and Security (fwd) Neil Buckley (Jan 05)
- Re: Castles and Security (fwd) Adam Shostack (Jan 08)
- Targeting (was Castles and Security) Stephen P. Berry (Jan 08)