Re: NIST IPv6 document

[Owen DeLong <owen () delong com>]

On Jan 10, 2011, at 11:52 AM, Lamar Owen wrote:

> On Friday, January 07, 2011 09:25:59 am David Sparro wrote:
> > I find that the security "Layers" advocates tend not to look at the 
> > differing value of each of those layers.
>
> Different layers very much have different values, and, yes, this is often glossed over.
>
> > Going back to the physical door analogy, it's like saying that a bank 
> > vault protected by a bank vault door is less secure than a vault with 
> > the bank vault door AND a screen door.
>
> More analogous would be the safe with glass relockers and a vial of tear gas behind the ideal drill point.  Yes, 
> those do exist, and, should you want to see a photo of such a vial, I can either provide one (have to take the photo 
> with the safe door open next time I'm on that site, which may be a while with all this snow and ice on the ground) or 
> you can find pics through google.
>
> Even physical locks have layered security principles.  Think Medeco locks with chisel-pointed pins and the associated 
> sidebar in the center, or ASSA's Twin double-stack pin technology, or the use of spool pins in locks, or Schlage's 
> Primus system (also sidebar driven) or anti-drill armor in front of the pin stack (to prevent drilling the shear 
> line), etc.  The use of layers in the physical security realm is a proven concept, and the synergy of the layers has 
> been shown effective over time.  Not totally secure, of course, but as the number of layers increases the security 
> becomes better and better.

Nonetheless, NAT remains an opaque screen door at best.

If the bad guy is behind the door, it helps hide him.

If the bad guy is outside the door, the time it takes for his knife to cut through it is so small as to be meaningless.

Owen