[146577] in North American Network Operators' Group
RE: Have they stopped teaching Defense in Depth?
daemon@ATHENA.MIT.EDU (Jamie Bowden)
Wed Nov 16 09:06:33 2011
Date: Wed, 16 Nov 2011 09:05:20 -0500
In-Reply-To: <22374.1321452116@turing-police.cc.vt.edu>
From: "Jamie Bowden" <jamie@photon.com>
To: <Valdis.Kletnieks@vt.edu>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> -----Original Message-----
> From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu]
> Sent: Wednesday, November 16, 2011 9:02 AM
> To: Jay Ashworth
> Cc: NANOG
> Subject: Re: Have they stopped teaching Defense in Depth?
>=20
> On Wed, 16 Nov 2011 08:36:21 EST, Jay Ashworth said:
> > ----- Original Message -----
> > > From: "Jimmy Hess" <mysidia@gmail.com>
> >
> > > Or, the attack is against a legitimate user's outbound connection,
> for example:
> > > a user behind the firewall connects to a web site, a vulnerability
> > > in their browser is exploited
> > > to install a trojan -- the trojan tunnels to the attacker over an
> > > outgoing port that is allowed on the firewall.
> >
> > Oh, certainly; I have lots of web browsers running on my servers.
> >
> > All The World Is Not A Workstation, guys.
>=20
> Is there *anything* on the allegedly protected subnet that has a web
> browser
> running on it? Maybe that laptop on the crash cart that you use for
> downloading firmware and installing it on storage appliances? If it's
> a
> corporate-sized NAT, do you have any desktops that have network
> reachability to
> the servers (probably do - if the desktops can't reach the servers,
the
> servers
> aren't useful are they?) and also have web browsers that go to the
> outside
> world?
>=20
> I compromise an ad server someplace. Bob over in Accounting visits
the
> CPA forum
> on the accountants-r-us.com website looking for suggestion on how to
> handle
> a tax issue. I now have control of Bob's workstation, and the
question
> of whether
> your firewall does NAT or not just became totally moot.
>=20
> Defense in depth doesn't mean building a second Maginot Line behind
the
> first
> is a good idea - it means you *also* have a capable army that will
stop
> a
> German invasion coming in via Belgium.
That's absurd, no one could get an army across that terrain...
Jamie
