[66665] in North American Network Operators' Group
Re: Diversity as defense
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Jan 20 00:07:44 2004
To: sgorman1@gmu.edu
Cc: nanog@merit.edu
In-Reply-To: Your message of "Mon, 19 Jan 2004 15:35:22 EST."
<4e533b4e4f71.4e4f714e533b@gmu.edu>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 20 Jan 2004 00:06:23 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_1433041423P
Content-Type: text/plain; charset=us-ascii
On Mon, 19 Jan 2004 15:35:22 EST, sgorman1@gmu.edu said:
> The diversity, monoculture and agricutlure analogy makes nice press, but how
> realistic is diversity as a defense.
Well.. if diversity were to actually exist, it would be quite helpful. Right now,
if you have a Windows exploit, you might as well point and pull the trigger because
you have an 86% chance of nailing the target. Add in a Linux exploit and you're well
over 90%. That's Russian Roulette with a 10-shooter and one bullet.
On the other hand, let's think about if there were 10 products that each have 10%
market share, and even a minimal attempt at deterring fingerprinting of the target,
you're looking at a 90% chance that the exploit you launch will fail and leave a
nasty mark on an IDS. Suddenly, it's 9 bullets and one blank. And even worse odds
if you haven't been picking up all the exploits in the series - or not all the products
are vulnerable.
Unfortunately, it's not a realistic scenario, because...
> Is cost the biggest hurdle or limited
> avaiability of competitive products, or simply no bang for the buck by
> diversifying.
I can sum up *every* problem I've had in getting people to migrate in just
3 words: "vendor lock in". Enough said on that topic.
--==_Exmh_1433041423P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFADLdPcC3lWbTT17ARAqliAKCU1rEt9Z9lpsJbE/nDvg4OJT4fNwCfSaop
7NyHEB64kTUd8vZ1fmT/jRQ=
=0OAC
-----END PGP SIGNATURE-----
--==_Exmh_1433041423P--
