Castles and Security (fwd)

[Lance Spitzner <lance () spitzner net>]

I recently answered an extremely interesting question concerning
the comparison of castles to network security.  Below is
the email, I'm interested in any feedback.

Thanks!

-- 
Lance Spitzner
http://project.honeynet.org

---------- Forwarded message ----------
From: Lance Spitzner <lance () spitzner net>
Subject: Castles and Security

> In your SANS bio, you say "there are many of similarities between securing
> a network and securing a castle." I agree, this is a true statement.
> However, aren't we, making the same mistake the French made with the
> Maginot line in WW2?
>
> While it is obvious that we are not in the business of waging war
> ourselves, does anybody else see that by building these incredibly complex,
> monolithic systems, we are creating in ourselves and our systems fortress
> mindsets? Didn't Clausewitz and Sun-Tzu warn of the dangers of the fortress
> (lack of mobility, gambling on the impregnability of one position,
> blindness to attacks from other directions)? Or, are their strategies
> applicable only for situations of actual warfare (attack & defend), while
> we are, essentially, in the position of medieval burghers, stuck with the
> task of defending our walled cities from the bandits in the forest?

Excellent question.  Military history has much to teach us, but few study
its lessons.  Let us first review the failures that history has taught us.
For example, you raise the issue of the Maginot line in WW2.  This defense
failed because it was a single static layer.  It was assumed that the enemy
would blindly throw itself at this immense defense, defending forces would
simply decimate the attacking forces.  Instead, Germany went around the 
defensive line and attacked the poorly defended areas behind.  This failure
can also be found in firewalls.  Many organizations wrongly believe that a 
firewall will defend them against the badguys.  Organizations believe the 
blackhats will throw themselves against the firewall, fail, and then give up.  
Like the Maginot line, organizations are basing there defense on a single layer 
of failure.  However, this single layer can often be easily bypassed.  Once 
bypassed, organizations are often weak and soft in the middle.  Bypassing a 
firewall is often much easier then people think, such as dial-up modems, 
IDSN lines, http tunnels, Worms, misconfigured rules, etc.

I like to compare network security to castles because I find the situations
very similar.  Just like a castle, the badguys know where we are and that
we are not going to move.  Networks, like castles, are most often static
targets.  Also, it is very difficult for us to pre-emptively strike out
at the badguys, as we often do not know who they are, or the system they
are coming from is a innocent bystanderd. It normally comes down to a 
question of how well our defenses are.

Now, lets take a look at what history can teach us about doing defenses
correctly.  History has many examples of successful defenses, we need to
study why those defenses were successful and compare that to information
security.  Malbork, built by the Order of Teutonic Knights, is considered 
one of the best examples of medieval fortresses in Europe.  I recently 
visited the castle and was extremely impressed by its defense in depth.  
The designers of the castle expected lines of defense to be breached, 
there is extensive defenses at every layer.  As you enter the castle, 
defensive walls become progressively higher as you go in.  When one wall 
is breached, the inner walls are higher up giving the defenders the advantage.  
Walls are angled to give defenders clear fields of fire at every turn, 
stairs are curved to give sword wielding defenders freedom to use their right 
arm, while denying the attackers the same.  Every element of the castle is 
designed to give the defenders the advantage.  Information security should 
apply the same concepts.  Yes, the firewall is a critical layer, but security 
needs to be built into every other layer.  It should be built into the 
routers, the hosts, system logs, authentication, authorization.

One other thing, even though Malbork was considered an extremely well
defended castle, it was captured by the Polish army in 1475. 
Lesson number 2, no matter how well secured your organizations is, it
still can be defeated. You can learn more about Malbork online at 
http://www.zamek.malbork.com.pl/eng/index.html

Hope this helps :)


-- 
Lance Spitzner
http://project.honeynet.org







_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards