Firewall Wizards mailing list archives

RE: Re: Castles and Security

From: "Duquette, John" <john.duquette () eds com>
Date: Thu, 4 Jan 2001 12:50:40 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think what you are getting at is really the heart of the issue.

The Maginot line was built to fight the *previous* war.  It was a
super trench because the French military was gearing to refight WWI. 
The Germans were learning and preparing to fight a more mobile war so
instead of throwing their troops at the fortifications, they went
around them quickly.  Remember the French considered the Argonne
forest impenetrable, which the Germans demonstrated to be false. 
Whether you want to use the castle or terrorist analogy there is one
common truth.  The attacker ALWAYS has the advantage and the element
of surprise.

Most current network security practices are geared at defending
against what has already happened and is known, not what might
happen.

Many of our customers *still* think that you only need to look at
their firewall.  Trying to convince them that they need to look at
everything can be like arguing with a drunk.

john

And I'll bite on one more thing, what relevance does Nov. 5 have to
any of this?

-----Original Message-----
From: Karl Wolfgang [mailto:karl_wolfgang () hotmail com]
Sent: Wednesday, January 03, 2001 9:06 PM
To: firewall-wizards () nfr com
Subject: [fw-wiz] Re: Castles and Security

1.  The "bastion host" / reinforced firewall concept may go 
the way of 
castles and the Maginot Line if dynamic defenses are not put 
in place.  
Clausewitz stated "If you entrench yourself behind strong 
fortifications, 
you compel the enemy to seek a solution elsewhere".

2.  Application programmers have begun to place other 
protocols within HTTP 
and HTTPS, which are allowed through most firewalls. This 
protocol tunneling 
means that, unless very aggressive proxies are available with 
a firewall, it 
won't be as effective.

3.  Telecommuter / home systems are notoriously lax on 
desktop security.  A 
personnel DSL connection to the Internet with static IP 
coupled with VPN 
tunnel into a protected network provide the devil's 
playground for a repeat 
of a Microsoft / QAZ exploit or something similar.


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOlS38dwfv0dRtjgLEQImXACgktJuUpqq0VGO9CHMGm7y421BSq4AnjGT
ZJyZGXWB+kmy/LIyf/LZ9XU7
=SQ7x
-----END PGP SIGNATURE-----

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Castles and Security Karl Wolfgang (Jan 03)
- <Possible follow-ups>
- RE: Re: Castles and Security Duquette, John (Jan 04)
  - Re: Re: Castles and Security Graham Allan (Jan 04)
  - RE: Re: Castles and Security Marcus J. Ranum (Jan 04)
    - Re: Re: Castles and Security harley (Jan 04)
- RE: Re: Castles and Security Smith Gary-GSMITH1 (Jan 04)
  - Re: Re: Castles and Security Talisker (Jan 04)
    - Re: Re: Castles and Security Darren Reed (Jan 05)