nanog mailing list archives
Re: NIST IPv6 document
From: mikea <mikea () mikea ath cx>
Date: Mon, 10 Jan 2011 14:09:25 -0600
On Mon, Jan 10, 2011 at 02:52:56PM -0500, Lamar Owen wrote:
On Friday, January 07, 2011 09:25:59 am David Sparro wrote:I find that the security "Layers" advocates tend not to look at the differing value of each of those layers.Different layers very much have different values, and, yes, this is often glossed over.Going back to the physical door analogy, it's like saying that a bank vault protected by a bank vault door is less secure than a vault with the bank vault door AND a screen door.More analogous would be the safe with glass relockers and a vial of tear gas behind the ideal drill point. Yes, those do exist, and, should you want to see a photo of such a vial, I can either provide one (have to take the photo with the safe door open next time I'm on that site, which may be a while with all this snow and ice on the ground) or you can find pics through google. Even physical locks have layered security principles. Think Medeco locks with chisel-pointed pins and the associated sidebar in the center, or ASSA's Twin double-stack pin technology, or the use of spool pins in locks, or Schlage's Primus system (also sidebar driven) or anti-drill armor in front of the pin stack (to prevent drilling the shear line), etc. The use of layers in the physical security realm is a proven concept, and the synergy of the layers has been shown effective over time. Not totally secure, of course, but as the number of layers increases the security becomes better and better.
My father used to tell me that "Locks keep the honest people out." He was right; the clever non-honest are the ones we have to deal with at that level. Computers are so great a force multiplier that we are having to do the same sorts of things to defend against assaults from them. -- Mike Andrews, W5EGO mikea () mikea ath cx Tired old sysadmin
Current thread:
- Re: NIST IPv6 document, (continued)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Matthew Petach (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 06)
- Re: NIST IPv6 document Dobbins, Roland (Jan 06)
- Re: NIST IPv6 document David Sparro (Jan 07)
- Re: NIST IPv6 document Lamar Owen (Jan 10)
- Re: NIST IPv6 document mikea (Jan 10)
- Re: NIST IPv6 document Owen DeLong (Jan 10)
- Re: NIST IPv6 document Jeff Kell (Jan 10)
- Re: NIST IPv6 document Valdis . Kletnieks (Jan 10)
- Re: NIST IPv6 document Jack Bates (Jan 10)
- Re: NIST IPv6 document Owen DeLong (Jan 10)
- Re: NIST IPv6 document Valdis . Kletnieks (Jan 11)
- Re: NIST IPv6 document Jack Bates (Jan 11)
- Re: NIST IPv6 document Owen DeLong (Jan 10)
- Re: NIST IPv6 document Joel Jaeggli (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)