Re: Requirements for IPv6 Firewalls

[William Herrin <bill () herrin us>]

On Fri, Apr 18, 2014 at 7:06 PM, William Herrin <bill () herrin us> wrote:
> On Fri, Apr 18, 2014 at 6:19 PM, Eugeniu Patrascu <eugen () imacandi net> wrote:
> > Defense in depth, to my knowledge - and feel free to correct me, is to have
> > defenses at every point in the network and at the host level to protect
> > against different attack vectors that are possible at those point.
>
> And a heart attack is that you clutch your chest and fall over dead.
> You describe what defense in depth looks like, not what it is.
>
> Defense in depth is that you have a fence and a security guard and a
> spotlight. And a locked door, an alarm system and a safe too. But you
> don't just have the fence, the door and the safe, a single form of
> protection at each point. That would be a shallow defense.

Put more succinctly: depth isn't where you place the defenses, it's
how many defenses times the quality of each defense that an adversary
has to slip past. If an adversary has to bypass three defenses, that's
more shallow than if he has to bypass the same three and three more.
Whether all six are at the perimeter or half are at the perimeter two
are at the host and one is in the application is only indirectly
relevant to the depth of your defense.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004