Re: [fw-wiz] Defense in Depth to the Desktop

From: Chris Pugrud (
Date: 12/14/04

  • Next message: Chris Pugrud: "Re: [fw-wiz] Defense in Depth to the Desktop"
    To: Frederick M Avolio <>, "Paul D. Robertson" <>
    Date: Mon, 13 Dec 2004 15:40:17 -0800 (PST)


    Thank you, I really enjoyed your write up as well. There is a lack of
    perspective history in the industry, maybe it comes from people coming up too
    quickly in it, or people being constantly inundated with the same old cycle of
    s**t. It's probably been 8 or 9 years since I've read Bellovin's book. I
    bought the second edition, but have yet to find the time to read it.

    I probably quoted "eggshell" both because I knew it was not fully correct and
    emphasize that I think that things have gotten worse, not better. It used to
    be that I had to hand roll firewalls for customers and they would complain
    about the minimal costs. Now they throw gobs of money at perimeter security
    and buzzword compliance but I can't get them to pay attention to making a
    reasonable attempt at locking down their internal systems.

    My latest quixotic quest is for bringing some of that well built perimeter
    protection hardware into the internal networks, so that the security of the
    internal organization is not solely reliant on application and operating system
    security controls. We need all of the above until we can find a reasonable way
    to define "allow good" and we can go back to a default deny policy.


    --- Frederick M Avolio <> wrote:

    > At 04:30 PM 12/13/2004 -0500, Paul D. Robertson wrote:
    > > > > This
    > > > > > is the classic "eggshell" weakness of network security, hard and
    > > crunchy on
    > > > > the
    > > > > > outside, soft and chewy on the inside. The Strong Internal Network
    > > Defense
    > > > >
    > > > > I don't think I'd use eggshell to denote hard ;)
    > > > >
    > > > But I would. It's relatively hard compared to what's inside, but, as
    > > you note ...
    > And this is all an example of the loss of historical data we experience in
    > network security. (I've ranted on it here:
    > Of course, it is not like an egg. It is like a candy bar that has a
    > "crunchy shell around a soft, chewy center" (Cheswick describing the Bell
    > Lab's network defense in "The Design of a Secure Internet Gateway."
    > Fred

    firewall-wizards mailing list

  • Next message: Chris Pugrud: "Re: [fw-wiz] Defense in Depth to the Desktop"

    Relevant Pages

    • "Its ok were behind a firewall"
      ... "It's ok we're behind a firewall" ... cautioning about security vulnerabilities. ... to internal systems ... ...
    • Re: Firewall for VMS / TRU64
      ... >>security by providing an additional security layer on internal networks. ... >>It can prevent your site from receiving datagrams from certain networks ... >>Sorry Bob but TCPware don't agree with you either. ...
    • Re: CheckPoint hide nat, static nat
      ... > security some places like where Iwork require it. ... There is no reason for NAT between the internal networks. ...