[170202] in North American Network Operators' Group
Re: misunderstanding scale
daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Mar 24 23:03:35 2014
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CAP-guGUhOYXDuuwZtYO0YFKfBxto+0+T2w4+KSCQ7L=dzw=MQQ@mail.gmail.com>
Date: Mon, 24 Mar 2014 20:00:58 -0700
To: William Herrin <bill@herrin.us>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 24, 2014, at 9:20 AM, William Herrin <bill@herrin.us> wrote:
> On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer <kauer@biplane.com.au> =
wrote:
>> Addressable is not the same as
>> accessible; routable is not the same as routed.
>=20
> Indeed. However, all successful security is about _defense in depth_.
> If it is inaccessible, unrouted, unroutable and unaddressable then you
> have four layers of security. If it is merely inaccessible and
> unrouted you have two.
That is, frankly, so gross an oversimplification as to be not only =
misleading, but
outright inaccurate in many cases.
When considering defense in depth, layer thickness counts as much or =
more
than number of layers.
unroutable and unaddressable (which NAT and RFC-1918 arguably don=92t =
actually
provide in reality) are roughly equivalent to a slide-lock on a screen =
door in front
of a stateful inspection bank vault door in front of an unrouted =
iron-bar day-door
inside the vault.
I would argue that the value added by the screen door and its associated =
slide lock
is near zero in the total equation.
Further, since the reality is that NAT and RFC-1918 can be exploited by =
the attackers
to help hide their identity and obscure their activities, they are =
actually not added
depth, but in fact erode the actual security. Further, since it is such =
a widely held
misperception that they provide security, there=92s probably a certain =
amount of
negative impact due to the complacency and lack of vigilance that =
creates as well.
Owen
