[148180] in North American Network Operators' Group
Re: Internet Edge and Defense in Depth
daemon@ATHENA.MIT.EDU (Mike Andrews)
Thu Jan 5 10:34:12 2012
Date: Thu, 5 Jan 2012 09:33:15 -0600
From: Mike Andrews <mikea@mikea.ath.cx>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <20120105152255.GC20575@gsp.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Jan 05, 2012 at 10:22:55AM -0500, Rich Kulawiec wrote:
> On Tue, Dec 06, 2011 at 01:44:05PM -0800, Jonathan Lassoff wrote:
> > Cramming every little feature under the sun into one appliance makes for
> > great glossy brochures and Powerpoint decks, but I just don't think it's
> > practical.
>
> 1. It's an excellent way to create a single point-of-failure.
>
> 2. I prefer, when building defense-in-depth, to build the layers with different
> technology running on different operating systems on different architectures.
> There's no doubt this adds some complexity and that it requires judicious
> design to be scalable, maintainable, and so on. But it raises the bar
> for attackers considerably, and it gives defenders a fighting chance of
> discovering a breach in one layer before it becomes a breach in all layers.
>
> 3. One of the mistakes we all continue to make, whether we have our
> paws on integrated appliances or separate systems, is default-permit.
> We really need to make sure that the syntactic equivalent of "deny
> all from any to any" is the first rule installed in any of these,
> and then work from there.
>
> p.s. In re Powerpoint, I've long held that the appropriate response to
> "I have a PowerPoint presentation..." is for everyone else in the room
> to find a strong rope and a sturdy tree, and do what must be done for
> the sake of humanity.
"Power corrupts. PowerPoint corrupts absolutely."
As regards avoidance of SPOFs, I also prefer multiple layers in different
technologies &c. A monoculture is horribly vulnerable. I grant that network
hardware isn't exactly Ireland just before the potato famine, but the
parallels are there and applicable in at least some senses.
--
Mike Andrews, W5EGO
mikea@mikea.ath.cx
Tired old sysadmin
