Firewall Wizards mailing list archives
Castles and Security (fwd)
From: Lance Spitzner <lance () spitzner net>
Date: Thu, 28 Dec 2000 12:59:13 -0600 (CST)
I recently answered an extremely interesting question concerning the comparison of castles to network security. Below is the email, I'm interested in any feedback. Thanks! -- Lance Spitzner http://project.honeynet.org ---------- Forwarded message ---------- From: Lance Spitzner <lance () spitzner net> Subject: Castles and Security
In your SANS bio, you say "there are many of similarities between securing a network and securing a castle." I agree, this is a true statement. However, aren't we, making the same mistake the French made with the Maginot line in WW2? While it is obvious that we are not in the business of waging war ourselves, does anybody else see that by building these incredibly complex, monolithic systems, we are creating in ourselves and our systems fortress mindsets? Didn't Clausewitz and Sun-Tzu warn of the dangers of the fortress (lack of mobility, gambling on the impregnability of one position, blindness to attacks from other directions)? Or, are their strategies applicable only for situations of actual warfare (attack & defend), while we are, essentially, in the position of medieval burghers, stuck with the task of defending our walled cities from the bandits in the forest?
Excellent question. Military history has much to teach us, but few study its lessons. Let us first review the failures that history has taught us. For example, you raise the issue of the Maginot line in WW2. This defense failed because it was a single static layer. It was assumed that the enemy would blindly throw itself at this immense defense, defending forces would simply decimate the attacking forces. Instead, Germany went around the defensive line and attacked the poorly defended areas behind. This failure can also be found in firewalls. Many organizations wrongly believe that a firewall will defend them against the badguys. Organizations believe the blackhats will throw themselves against the firewall, fail, and then give up. Like the Maginot line, organizations are basing there defense on a single layer of failure. However, this single layer can often be easily bypassed. Once bypassed, organizations are often weak and soft in the middle. Bypassing a firewall is often much easier then people think, such as dial-up modems, IDSN lines, http tunnels, Worms, misconfigured rules, etc. I like to compare network security to castles because I find the situations very similar. Just like a castle, the badguys know where we are and that we are not going to move. Networks, like castles, are most often static targets. Also, it is very difficult for us to pre-emptively strike out at the badguys, as we often do not know who they are, or the system they are coming from is a innocent bystanderd. It normally comes down to a question of how well our defenses are. Now, lets take a look at what history can teach us about doing defenses correctly. History has many examples of successful defenses, we need to study why those defenses were successful and compare that to information security. Malbork, built by the Order of Teutonic Knights, is considered one of the best examples of medieval fortresses in Europe. I recently visited the castle and was extremely impressed by its defense in depth. The designers of the castle expected lines of defense to be breached, there is extensive defenses at every layer. As you enter the castle, defensive walls become progressively higher as you go in. When one wall is breached, the inner walls are higher up giving the defenders the advantage. Walls are angled to give defenders clear fields of fire at every turn, stairs are curved to give sword wielding defenders freedom to use their right arm, while denying the attackers the same. Every element of the castle is designed to give the defenders the advantage. Information security should apply the same concepts. Yes, the firewall is a critical layer, but security needs to be built into every other layer. It should be built into the routers, the hosts, system logs, authentication, authorization. One other thing, even though Malbork was considered an extremely well defended castle, it was captured by the Polish army in 1475. Lesson number 2, no matter how well secured your organizations is, it still can be defeated. You can learn more about Malbork online at http://www.zamek.malbork.com.pl/eng/index.html Hope this helps :) -- Lance Spitzner http://project.honeynet.org _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Castles and Security (fwd) Lance Spitzner (Jan 02)
- Re: Castles and Security (fwd) Talisker (Jan 02)
- Re: Castles and Security (fwd) Darren Reed (Jan 02)
- <Possible follow-ups>
- RE: Castles and Security (fwd) Jürgen Nieveler (Jan 02)
- RE: Castles and Security (fwd) twaszak (Jan 03)
- RE: Castles and Security (fwd) Marcus J. Ranum (Jan 03)
- Re: Castles and Security (fwd) Crist Clark (Jan 03)
- RE: Castles and Security (fwd) Marcus J. Ranum (Jan 03)
- Re: Castles and Security (fwd) Antonomasia (Jan 03)
- RE: Castles and Security (fwd) Stiennon,Richard (Jan 03)
- RE: Castles and Security (fwd) Security Related (Jan 03)
- RE: Castles and Security (fwd) Marcus J. Ranum (Jan 03)
(Thread continues...)