nanog mailing list archives
RE: Have they stopped teaching Defense in Depth?
From: "Jamie Bowden" <jamie () photon com>
Date: Wed, 16 Nov 2011 09:05:20 -0500
-----Original Message----- From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] Sent: Wednesday, November 16, 2011 9:02 AM To: Jay Ashworth Cc: NANOG Subject: Re: Have they stopped teaching Defense in Depth? On Wed, 16 Nov 2011 08:36:21 EST, Jay Ashworth said:----- Original Message -----From: "Jimmy Hess" <mysidia () gmail com>Or, the attack is against a legitimate user's outbound connection,for example:a user behind the firewall connects to a web site, a vulnerability in their browser is exploited to install a trojan -- the trojan tunnels to the attacker over an outgoing port that is allowed on the firewall.Oh, certainly; I have lots of web browsers running on my servers. All The World Is Not A Workstation, guys.Is there *anything* on the allegedly protected subnet that has a web browser running on it? Maybe that laptop on the crash cart that you use for downloading firmware and installing it on storage appliances? If it's a corporate-sized NAT, do you have any desktops that have network reachability to the servers (probably do - if the desktops can't reach the servers,
the
servers aren't useful are they?) and also have web browsers that go to the outside world? I compromise an ad server someplace. Bob over in Accounting visits
the
CPA forum on the accountants-r-us.com website looking for suggestion on how to handle a tax issue. I now have control of Bob's workstation, and the
question
of whether your firewall does NAT or not just became totally moot. Defense in depth doesn't mean building a second Maginot Line behind
the
first is a good idea - it means you *also* have a capable army that will
stop
a German invasion coming in via Belgium.
That's absurd, no one could get an army across that terrain... Jamie
Current thread:
- Re: Have they stopped teaching Defense in Depth?, (continued)
- Re: Have they stopped teaching Defense in Depth? William Herrin (Nov 15)
- Re: Have they stopped teaching Defense in Depth? Owen DeLong (Nov 16)
- RE: Have they stopped teaching Defense in Depth? Jamie Bowden (Nov 16)
- Re: Have they stopped teaching Defense in Depth? Owen DeLong (Nov 16)
- Re: Have they stopped teaching Defense in Depth? William Herrin (Nov 16)
- Re: Have they stopped teaching Defense in Depth? Owen DeLong (Nov 16)
- Re: Have they stopped teaching Defense in Depth? Jimmy Hess (Nov 16)
- Re: Have they stopped teaching Defense in Depth? Jay Ashworth (Nov 16)
- RE: Have they stopped teaching Defense in Depth? Leigh Porter (Nov 16)
- Re: Have they stopped teaching Defense in Depth? Valdis . Kletnieks (Nov 16)
- RE: Have they stopped teaching Defense in Depth? Jamie Bowden (Nov 16)
- Re: Arguing against using public IP space Jay Ashworth (Nov 13)
- Re: Arguing against using public IP space Dobbins, Roland (Nov 13)
- Re: Arguing against using public IP space Brett Frankenberger (Nov 13)
- Re: Arguing against using public IP space Jay Ashworth (Nov 13)
- Re: Arguing against using public IP space Joe Greco (Nov 13)
- Re: Arguing against using public IP space Joel jaeggli (Nov 13)
- Re: Arguing against using public IP space Joe Greco (Nov 14)
- Re: Arguing against using public IP space Dobbins, Roland (Nov 13)
- Re: Arguing against using public IP space Joe Greco (Nov 14)