[146576] in North American Network Operators' Group
Re: Have they stopped teaching Defense in Depth?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Wed Nov 16 09:02:40 2011
To: Jay Ashworth <jra@baylink.com>
In-Reply-To: Your message of "Wed, 16 Nov 2011 08:36:21 EST."
<14755259.2999.1321450581722.JavaMail.root@benjamin.baylink.com>
From: Valdis.Kletnieks@vt.edu
Date: Wed, 16 Nov 2011 09:01:56 -0500
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1321452116_2708P
Content-Type: text/plain; charset=us-ascii
On Wed, 16 Nov 2011 08:36:21 EST, Jay Ashworth said:
> ----- Original Message -----
> > From: "Jimmy Hess" <mysidia@gmail.com>
>
> > Or, the attack is against a legitimate user's outbound connection, for example:
> > a user behind the firewall connects to a web site, a vulnerability
> > in their browser is exploited
> > to install a trojan -- the trojan tunnels to the attacker over an
> > outgoing port that is allowed on the firewall.
>
> Oh, certainly; I have lots of web browsers running on my servers.
>
> All The World Is Not A Workstation, guys.
Is there *anything* on the allegedly protected subnet that has a web browser
running on it? Maybe that laptop on the crash cart that you use for
downloading firmware and installing it on storage appliances? If it's a
corporate-sized NAT, do you have any desktops that have network reachability to
the servers (probably do - if the desktops can't reach the servers, the servers
aren't useful are they?) and also have web browsers that go to the outside
world?
I compromise an ad server someplace. Bob over in Accounting visits the CPA forum
on the accountants-r-us.com website looking for suggestion on how to handle
a tax issue. I now have control of Bob's workstation, and the question of whether
your firewall does NAT or not just became totally moot.
Defense in depth doesn't mean building a second Maginot Line behind the first
is a good idea - it means you *also* have a capable army that will stop a
German invasion coming in via Belgium.
--==_Exmh_1321452116_2708P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFOw8JUcC3lWbTT17ARAsWsAJ9XrSGW64uwnIA8vqNBP9Mb5Na2kACfRk6s
32I1UzlCsnZF03lasPGCR60=
=V7cD
-----END PGP SIGNATURE-----
--==_Exmh_1321452116_2708P--
