Re: The Death of Defence in Depth ? - Aninvitation to Hack.lu

[gjgowey () tmo blackberry net]

I think reducing size and enhancing security do not belong in any document that regards security.  If you are relying 
on one solution as a cure all then you're doomed to failure.  This is because all products have bugs and problems and 
having only one uniform environment to work with is a fertile ground for a disaster.  This is not a hypothetical 
thought either.

I had one employer who once did not patch his windows systems properly.  Mind you he had antivirus protection, but it 
didn't save him.  A worm got loose and it went through 5 sites worth of win XP systems like a blow torch through butter 
because the connectivity was free and clear between them (nice fat OC-192s no less).  I prefer to abide by a saying 
that I once read on a fidonet posting: never have more than 10% of one companies product, never be more than 10% of one 
companies business.

Geoff
 


Sent from my BlackBerry wireless handheld.

-----Original Message-----
From: "Eric Rachner" <eric () rachner us>

Date: Sat, 13 Oct 2007 00:49:03 
To:<full-disclosure () lists grok org uk>
Subject: Re: [Full-disclosure] The Death of Defence in Depth ? - An
        invitation to Hack.lu


$0.02:

"Defense in Depth" means *reducing* attackable surface, *reducing* execution
privilege, *reducing* complexity, etc.

If you guys are criticizing the ongoing trend towards enterprise-wide AV
monitoring and routing all network traffic through SSL-terminating
deep-packet-inspecting content-filtering 1U rack mount appliances, well,
that's more like the exact opposite.  That's more surface area, more
complexity, and more privilege.

I'd call it "Defense in Breadth."

- Eric

Thierry Zoller wrote:
> Dear Felix,
> While I love your comment and really welcome constructive criticism,
> I actually think you should keep the focus on the Fox News style
> question marks. Nowhere is being said that this is the end of
> Defence in Depth (as a paradigm), we ask the question.
>
> Then again you seem to be judging about something you haven't seen
> nor read. Is this because I ask the Fox News style questions and you
> give Fox News style comments ?
>
> FFL> the title is misleading at best.
> While I have the upmost respect of your person, in this particular
> case, I am sorry dude, but how can you tell ? Have you seen the
> presentation? Have you heard the conclusion? I don't think so?
> Though you are more than welcome to see it :)
>
> FFL> Defense in Depth has nothing to do
> FFL> with security software.
> In a certain sense it has. Defence in depth is a Paradigm as not only
> applied to how you design software but also how you implement solutions.
> The talk is about reality, not an RFC or CISSP Definition.
>
> FYI, while certainly not a reference, here is what Wikipedia has to say:
> "Defense in Depth is an Information Assurance (IA) strategy where
> multiple layers of defense are placed through out an Information
> Technology (IT) system and addresses personnel, technology and
> operations for the duration of the system's lifecycle."
> http://en.wikipedia.org/wiki/Defense_in_Depth_(computing)
>
> FFL> To the contrary. The paradigm describes an
> FFL> approach where you assume that invidual (even multiple) elements of
your
> FFL> defense fall, in the worst possible way (which could be code
> FFL> execution).
> Thank you for the definition, though I must let you know I am fully
> aware of it. (I miss an mandatory RFC link) The presentation will
> talk of exactly that "...assume.. multiple elements of your defense fall"
>
> What currently is being done in the industry is to ADD more layers of
> defence to protect against one failing, this is being done by adding
> one parsing engine after the other. Again nobody said Defence in Depth
> is wrong in itself, it's just the way the Software Industry has led
> companies to implement it. _This_ is the point.
>
> Don't get me wrong, defence in depth as general Paradigm is perfectly
> fine :) But you would have had to listen to the talk to draw that
> conclusion, this is what I find most irrating about your comment. And
> it raises a big question mark as to your motivation for this public
> comment.
>
> FFL> What you are describing is people adding security software
> FFL> _instead_ of applying a thorough defense in depth design.
> I am describing nothing Felix, you are judging about a Presentation
> _you have not even seen_. How dare you !!! ==))))
>
> FFL> Your presentation title suggests that one of the very few paradigms
> FFL> that actually promises long term security benefits does not work.
> Felix I am suggesting nothing, your are taking a friendly invitation
> as reason to bitch about how you THINK the talk will be given, though
> you have no clue.
>
> FFL> Wrong. I suggest you find a better title.
> Zu befehl ! =)
>
> The title fits the presentation perfectly, I find it rather arrogant
> and bloated to comment in this way and fashion on a public mailing
> list. I welcome any other comment to my personal Inbox, Phone, Fax
> whatever, I will ignore any other comment by public means before
> the actually talk was given and there is actual substance to start
> a discussion. I would have loved to receive a question before you
> shoot.

--

"If we knew what it was we were doing, it would not be called research,
would it?", Albert Einstein





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/