Firewall Wizards mailing list archives

Re: Castles and Security (fwd)

From: George Capehart <capegeo () opengroup org>
Date: Fri, 05 Jan 2001 09:53:13 -0500

(To avoid a growing CC: list, I'm just sending this to fw-wiz)

Bill_Royds () pch gc ca wrote:


<snip great discussion of what happens when one attempts to turn a
problem of multiple analog dimensions into one of one dimension that has
only two values.>

This has been a *great* thread.  It's threads like this that I wish
everyone who is concerned with security issues could have access.  I've
lurked on this list (and others) for just such an opportunity.  I take a
holistic approach to security so I need to understand what's going on in
as many different areas as I have time to devote.

Things got started when Lance Spitzner asked about how reasonable it is
to use a castle as an analogy for describing the issues with which one
deals in network security.  There was a good exchange around that along
with side trips into the European Theater of WWII and the attempt at
making a distinction between guerillas and terrorists.  (I think it
depends upon whether the speaker is the attacker or the attackee). ;-> 
There was also Marcus' subthread on the idea of legislating the
definition of good guy and bad guy.  (Prohibition comes to mind here . .
. as does the effect of the Harrison Narcotic Act of 1924.  Before that,
Cokes were *really* cokes . . . now they have to use caffeine . . .)

To me, the most interesting aspect of the thread has been the
acknowledgment (once again) that it is impossible to defend against
truly determined adversaries but that Defense in depth is a Good Thing
(TM) and is usually necessary.  Seems to me that we're back to the
economics of security . . . defenders rarely spend more to defend a
target than it is worth to them and attackers spend as much on an attack
as they're willing to pay.  So that leaves us, IMHO, in the position of
needing to know the enemy (cf. The Art of War, Sun Tzu) and then, given
that understanding, define the risk to be managed and the strategy and
tactics for managing it (cf. Secrets & Lies, Bruce Schneier).

My
$0.02.                                                                                                        
--
George W. Capehart                            phone:  +1 (704) 277-4561
                                              fax:    +1 (704) 853-2624

"I'd rather have a bottle in front of me than a frontal lobotomy."
Anonymous

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Castles and Security (fwd), (continued)
- - - Re: Castles and Security (fwd) Neil Buckley (Jan 05)
    - Re: Castles and Security (fwd) Adam Shostack (Jan 08)
    - Targeting (was Castles and Security) Stephen P. Berry (Jan 08)
- RE: Castles and Security (fwd) Marcus J. Ranum (Jan 03)
- RE: Castles and Security (fwd) Harris, Tim (Jan 03)
  - Re: Castles and Security (fwd) Darren Reed (Jan 03)
- RE: Castles and Security (fwd) Frank Knobbe (Jan 03)
- RE: Castles and Security (fwd) twaszak (Jan 04)
- Re: Castles and Security (fwd) jeradonah (Jan 04)
- RE: Castles and Security (fwd) Bill_Royds (Jan 04)
  - Re: Castles and Security (fwd) George Capehart (Jan 05)
    - Re: Castles and Security (fwd) Ryan Russell (Jan 08)
    - Re: Castles and Security (fwd) George Capehart (Jan 08)
- RE: Castles and Security (fwd) Scott, Richard (Jan 08)
- RE: Castles and Security (fwd) Antonomasia (Jan 08)
  - Re: Castles and Security (fwd) Darren Reed (Jan 10)
- Re: Castles and Security (fwd) Steven M. Bellovin (Jan 10)
  - RE: Castles and Security (fwd) Robert Graham (Jan 12)
    - RE: Castles and Security Lance Spitzner (Jan 12)
- RE: Castles and Security (fwd) Ben . Grubin (Jan 12)