Re: Have they stopped teaching Defense in Depth?

[Valdis.Kletnieks () vt edu]

On Wed, 16 Nov 2011 08:36:21 EST, Jay Ashworth said:
> ----- Original Message -----
> > From: "Jimmy Hess" <mysidia () gmail com>
>
> > Or, the attack is against a legitimate user's outbound connection, for example:
> > a user behind the firewall connects to a web site, a vulnerability
> > in their browser is exploited
> > to install a trojan -- the trojan tunnels to the attacker over an
> > outgoing port that is allowed on the firewall.
>
> Oh, certainly; I have lots of web browsers running on my servers.
>
> All The World Is Not A Workstation, guys.

Is there *anything* on the allegedly protected subnet that has a web browser
running on it?  Maybe that laptop on the crash cart that you use for
downloading firmware and installing it on storage appliances?  If it's a
corporate-sized NAT, do you have any desktops that have network reachability to
the servers (probably do - if the desktops can't reach the servers, the servers
aren't useful are they?) and also have web browsers that go to the outside
world?

I compromise an ad server someplace.  Bob over in Accounting visits the CPA forum
on the accountants-r-us.com website looking for suggestion on how to handle
a tax issue.  I now have control of Bob's workstation, and the question of whether
your firewall does NAT or not just became totally moot.

Defense in depth doesn't mean building a second Maginot Line behind the first
is a good idea - it means you *also* have a capable army that will stop a
German invasion coming in via Belgium.

Attachment: _bin
Description: