Re: Re: Castles and Security

["Talisker" <Talisker () networkintrusion co uk>]

Let's not lose sight of the fact that it's an analogy, I doubt we'll ever
find a perfect one, but for the purpose of getting a point across it's not
bad.

On another list last week there was a similar one along the lines of  why
bother putting a padlock on a tent. ie what's the point of a padlock if
someone can use a knife to get in the side.  I intend to combine the 2
analogies to build a scenario

The padlock on a tent may deter your average script kiddie and the castle
will stop most script kiddies and a good proportion of hackers.  So where
are the vulnerabilities in a castle? someone mentioned spies, they can't
mount a full on attack they need to get in using a little more stealth,
disguised as a trusted person or hidden in a delivery. To me they would
represent a true hacker not daunted by defence in depth.
Lets also bring into the equation the insider attack and the trojan horse
both common problems in security today, again the castle analogy can
introduce the concept just as a DDOS could be likened to a siege.

As for terrorism and guerilla warfare, they wouldn't attack a castle it's
too strong but they would attack traffic to and from the castle.

The castle analogy isn't perfect but it will help to get some points across
in infantry English

Andy (reaching for the fire extinguisher to put out the flames)
http://www.networkintrusion.co.uk
Talisker's Network Security Tools List
                    '''
                 (0 0)
  ----oOO----(_)----------
  | The geek shall        |
  |  Inherit the earth     |
  -----------------oOO----
               |__|__|
                  || ||
              ooO Ooo
talisker () networkintrusion co uk

The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.





----- Original Message -----
From: "Smith Gary-GSMITH1" <Gary.R.Smith () motorola com>
To: "'Duquette, John'" <john.duquette () eds com>; "Karl Wolfgang"
<karl_wolfgang () hotmail com>; <firewall-wizards () nfr com>
Sent: Thursday, January 04, 2001 7:28 PM
Subject: RE: [fw-wiz] Re: Castles and Security


> Regarding November 5th:
>
> November 5th is Guy Fawkes Day in the UK.
>
> Nearly four hundred years ago, in 1605, a man named Guy Fawkes tried to
blow
> up a government building. He wanted to kill King James I and the king's
> leaders. Fawkes was one of a group of men who felt that the government was
> treating Roman Catholics unfairly.
>
> The king and his leaders were to meet on November 5. So, the group placed
> barrels of gunpowder in a cellar beneath the building where the king and
> others were to meet. Guy Fawkes was to light the fuse that would set off
the
> explosion. But the plot was discovered before he had a chance to do this.
> The king was saved, and Fawkes was hanged.
>
> Ever since, Guy Fawkes Day has been a time for merrymaking. It is a
holiday
> that both children and grown-ups enjoy. The best part comes as darkness
> falls. Then, straw dummies are tossed into huge bonfires. Amid cries of
> glee, firecrackers pop and "the Guy" goes up in a blaze of fire.
>
> -----Original Message-----
> From: Duquette, John [mailto:john.duquette () eds com]
> Sent: Thursday, January 04, 2001 11:51 AM
> To: Karl Wolfgang; firewall-wizards () nfr com
> Subject: RE: [fw-wiz] Re: Castles and Security
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I think what you are getting at is really the heart of the issue.
>
> The Maginot line was built to fight the *previous* war.  It was a
> super trench because the French military was gearing to refight WWI.
> The Germans were learning and preparing to fight a more mobile war so
> instead of throwing their troops at the fortifications, they went
> around them quickly.  Remember the French considered the Argonne
> forest impenetrable, which the Germans demonstrated to be false.
> Whether you want to use the castle or terrorist analogy there is one
> common truth.  The attacker ALWAYS has the advantage and the element
> of surprise.
>
> Most current network security practices are geared at defending
> against what has already happened and is known, not what might
> happen.
>
> Many of our customers *still* think that you only need to look at
> their firewall.  Trying to convince them that they need to look at
> everything can be like arguing with a drunk.
>
> john
>
> And I'll bite on one more thing, what relevance does Nov. 5 have to
> any of this?
>
> > -----Original Message-----
> > From: Karl Wolfgang [mailto:karl_wolfgang () hotmail com]
> > Sent: Wednesday, January 03, 2001 9:06 PM
> > To: firewall-wizards () nfr com
> > Subject: [fw-wiz] Re: Castles and Security
> >
> >
> > 1.  The "bastion host" / reinforced firewall concept may go
> > the way of
> > castles and the Maginot Line if dynamic defenses are not put
> > in place.
> > Clausewitz stated "If you entrench yourself behind strong
> > fortifications,
> > you compel the enemy to seek a solution elsewhere".
> >
> > 2.  Application programmers have begun to place other
> > protocols within HTTP
> > and HTTPS, which are allowed through most firewalls. This
> > protocol tunneling
> > means that, unless very aggressive proxies are available with
> > a firewall, it
> > won't be as effective.
> >
> > 3.  Telecommuter / home systems are notoriously lax on
> > desktop security.  A
> > personnel DSL connection to the Internet with static IP
> > coupled with VPN
> > tunnel into a protected network provide the devil's
> > playground for a repeat
> > of a Microsoft / QAZ exploit or something similar.
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBOlS38dwfv0dRtjgLEQImXACgktJuUpqq0VGO9CHMGm7y421BSq4AnjGT
> ZJyZGXWB+kmy/LIyf/LZ9XU7
> =SQ7x
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards