nanog mailing list archives
Re: Have they stopped teaching Defense in Depth?
From: Jimmy Hess <mysidia () gmail com>
Date: Wed, 16 Nov 2011 07:21:11 -0600
On Tue, Nov 15, 2011 at 3:16 PM, Jay Ashworth <jra () baylink com> wrote:
You can seek layers from other sources but a shallow security process will tend to be easily breached.But mounting *that* attack requires insider knowledge of 4 or 5 layers of extra information which will be necessary to exploit such an attack. My estimation is that that makes that layer of your defense in depth "thicker" than some other layers might be.
Security in depth is a proper approach, but NAT is not a security control, and NAT does not make the firewall defense "thicker" The maginot line was "thick". Before you can properly consider your layers of defense to have a certain thickness, you have to consider types of attack, and whether your changes actually make the layers they defeat any thicker. Now... what would you say is the most common way of defeating a properly implemented firewall? (1) The attack follows _allowed_ paths through the firewall, for example, the attack comes through a port forward that has been configured on the firewall with an ACL that is open too wide. Or, the attack is against a legitimate user's outbound connection, for example: a user behind the firewall connects to a web site, a vulnerability in their browser is exploited to install a trojan -- the trojan tunnels to the attacker over an outgoing port that is allowed on the firewall. And (2) The intruder compromises the firewall and gains control of it. In the case of (1), NAT does not add any "thickness" to the security model, the workstation behind the firewall has full knowledge of its own private IP addressing. The only way you will use NAT to effectively hide information is if the compromised machine is not privvy to the IP network addressing of the sensitive resources. In the case of (2), NAT does not add any thickness to the security model, because the attacker gains knowledge of the Firewall's entire configuration. This is a reason a network with truly sensitive resources where integrity is the greatest security objective should often have multiple separate Firewall units made by different manufacturers administered independently by different groups of security admins; an outer firewall in between the Internet and the DMZ, a second firewall in between the DMZ and the Internal network, and a third firewall in between the Internal network and say the SCADA control network. -- -JH
Current thread:
- Re: Arguing against using public IP space, (continued)
- Re: Arguing against using public IP space Michael Sinatra (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)
- Have they stopped teaching Defense in Depth? Jay Ashworth (Nov 15)
- Re: Have they stopped teaching Defense in Depth? Mark Andrews (Nov 15)
- Re: Have they stopped teaching Defense in Depth? William Herrin (Nov 15)
- Re: Have they stopped teaching Defense in Depth? Owen DeLong (Nov 16)
- RE: Have they stopped teaching Defense in Depth? Jamie Bowden (Nov 16)
- Re: Have they stopped teaching Defense in Depth? Owen DeLong (Nov 16)
- Re: Have they stopped teaching Defense in Depth? William Herrin (Nov 16)
- Re: Have they stopped teaching Defense in Depth? Owen DeLong (Nov 16)
- Re: Have they stopped teaching Defense in Depth? Jimmy Hess (Nov 16)
- Re: Have they stopped teaching Defense in Depth? Jay Ashworth (Nov 16)
- RE: Have they stopped teaching Defense in Depth? Leigh Porter (Nov 16)
- Re: Have they stopped teaching Defense in Depth? Valdis . Kletnieks (Nov 16)
- RE: Have they stopped teaching Defense in Depth? Jamie Bowden (Nov 16)
- Re: Arguing against using public IP space Jay Ashworth (Nov 13)
- Re: Arguing against using public IP space Dobbins, Roland (Nov 13)
- Re: Arguing against using public IP space Brett Frankenberger (Nov 13)
- Re: Arguing against using public IP space Jay Ashworth (Nov 13)
- Re: Arguing against using public IP space Joe Greco (Nov 13)