nanog mailing list archives
Re: Have they stopped teaching Defense in Depth?
From: Mark Andrews <marka () isc org>
Date: Wed, 16 Nov 2011 08:50:55 +1100
In message <33284158.2915.1321391772464.JavaMail.root () benjamin baylink com>, Jay Ashworth write s:
----- Original Message -----From: "William Herrin" <bill () herrin us>That your computer is not globally addressable ADDS one layer of security in a process you hope has enough layers to prevent an attack from penetrating. And make no mistake: successful security is about layers, about DEPTH. You can seek layers from other sources but a shallow security process will tend to be easily breached.This is precisely the point I've been trying to make, and it ties in to my observations in response in the SCADA thread: not only does the number of layers matter, so does their "thickness". Certainly, if you're trying to "air-gap" a SCADA network to protect it from attack, then you are admitting a certain degree of vulnerability if your circuit passes through any sort of transport multiplexer, like a DACS, as that's a place an attacker could reconfigure to take control of your traffic. But mounting *that* attack requires insider knowledge of 4 or 5 layers of extra information which will be necessary to exploit such an attack. My estimation is that that makes that layer of your defense in depth "thicker" than some other layers might be. Those who think NAT provides no security seem still to be mounting the strawman that we think it *provides* security, rather than merely contributing some bits thereto...
Most of us actually think that what ever benefit it adds over a firewall is miniscule compared to its negative consequences and once the cost benefit analysis is done that it is not worth it. Remember the cost of NAT is not solely borne by the entity deploying the NAT. If it was there would be little debate here. The cost of you deploying NAT is borne by everyone of us. It add a little bit to the cost of every router. If you want to use unroutable addresses then use a bastion host / proxy. Don't expect to be able to open a TCP socket and have it connect to something on the outside. Do it right or don't do it at all. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- Re: Arguing against using public IP space, (continued)
- Re: Arguing against using public IP space Jay Ashworth (Nov 13)
- Re: Arguing against using public IP space Jeff Kell (Nov 13)
- Re: Arguing against using public IP space Cameron Byrne (Nov 13)
- Re: Arguing against using public IP space Robert Bonomi (Nov 13)
- Re: Arguing against using public IP space Jay Ashworth (Nov 13)
- Re: Arguing against using public IP space Jeroen van Aart (Nov 14)
- Re: Arguing against using public IP space William Herrin (Nov 15)
- Re: Arguing against using public IP space Michael Sinatra (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)
- Have they stopped teaching Defense in Depth? Jay Ashworth (Nov 15)
- Re: Have they stopped teaching Defense in Depth? Mark Andrews (Nov 15)
- Re: Have they stopped teaching Defense in Depth? William Herrin (Nov 15)
- Re: Have they stopped teaching Defense in Depth? Owen DeLong (Nov 16)
- RE: Have they stopped teaching Defense in Depth? Jamie Bowden (Nov 16)
- Re: Have they stopped teaching Defense in Depth? Owen DeLong (Nov 16)
- Re: Have they stopped teaching Defense in Depth? William Herrin (Nov 16)
- Re: Have they stopped teaching Defense in Depth? Owen DeLong (Nov 16)
- Re: Have they stopped teaching Defense in Depth? Jimmy Hess (Nov 16)
- Re: Have they stopped teaching Defense in Depth? Jay Ashworth (Nov 16)
- RE: Have they stopped teaching Defense in Depth? Leigh Porter (Nov 16)
- Re: Have they stopped teaching Defense in Depth? Valdis . Kletnieks (Nov 16)