RE: Have they stopped teaching Defense in Depth?

["Jamie Bowden" <jamie () photon com>]

> -----Original Message-----
> From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu]
> Sent: Wednesday, November 16, 2011 9:02 AM
> To: Jay Ashworth
> Cc: NANOG
> Subject: Re: Have they stopped teaching Defense in Depth?
>
> On Wed, 16 Nov 2011 08:36:21 EST, Jay Ashworth said:
> > ----- Original Message -----
> > > From: "Jimmy Hess" <mysidia () gmail com>
> >
> > > Or, the attack is against a legitimate user's outbound connection,
> for example:
> > > a user behind the firewall connects to a web site, a vulnerability
> > > in their browser is exploited
> > > to install a trojan -- the trojan tunnels to the attacker over an
> > > outgoing port that is allowed on the firewall.
> >
> > Oh, certainly; I have lots of web browsers running on my servers.
> >
> > All The World Is Not A Workstation, guys.
>
> Is there *anything* on the allegedly protected subnet that has a web
> browser
> running on it?  Maybe that laptop on the crash cart that you use for
> downloading firmware and installing it on storage appliances?  If it's
> a
> corporate-sized NAT, do you have any desktops that have network
> reachability to
> the servers (probably do - if the desktops can't reach the servers,
the
> servers
> aren't useful are they?) and also have web browsers that go to the
> outside
> world?
>
> I compromise an ad server someplace.  Bob over in Accounting visits
the
> CPA forum
> on the accountants-r-us.com website looking for suggestion on how to
> handle
> a tax issue.  I now have control of Bob's workstation, and the
question
> of whether
> your firewall does NAT or not just became totally moot.
>
> Defense in depth doesn't mean building a second Maginot Line behind
the
> first
> is a good idea - it means you *also* have a capable army that will
stop
> a
> German invasion coming in via Belgium.

That's absurd, no one could get an army across that terrain...

Jamie