Re: [fw-wiz] Defense in Depth to the Desktop
From: Chris Pugrud (cpugrud_at_yahoo.com)
To: Frederick M Avolio <email@example.com>, "Paul D. Robertson" <firstname.lastname@example.org> Date: Mon, 13 Dec 2004 15:40:17 -0800 (PST)
Thank you, I really enjoyed your write up as well. There is a lack of
perspective history in the industry, maybe it comes from people coming up too
quickly in it, or people being constantly inundated with the same old cycle of
s**t. It's probably been 8 or 9 years since I've read Bellovin's book. I
bought the second edition, but have yet to find the time to read it.
I probably quoted "eggshell" both because I knew it was not fully correct and
emphasize that I think that things have gotten worse, not better. It used to
be that I had to hand roll firewalls for customers and they would complain
about the minimal costs. Now they throw gobs of money at perimeter security
and buzzword compliance but I can't get them to pay attention to making a
reasonable attempt at locking down their internal systems.
My latest quixotic quest is for bringing some of that well built perimeter
protection hardware into the internal networks, so that the security of the
internal organization is not solely reliant on application and operating system
security controls. We need all of the above until we can find a reasonable way
to define "allow good" and we can go back to a default deny policy.
--- Frederick M Avolio <email@example.com> wrote:
> At 04:30 PM 12/13/2004 -0500, Paul D. Robertson wrote:
> > > > This
> > > > > is the classic "eggshell" weakness of network security, hard and
> > crunchy on
> > > > the
> > > > > outside, soft and chewy on the inside. The Strong Internal Network
> > Defense
> > > >
> > > > I don't think I'd use eggshell to denote hard ;)
> > > >
> > > But I would. It's relatively hard compared to what's inside, but, as
> > you note ...
> And this is all an example of the loss of historical data we experience in
> network security. (I've ranted on it here:
> Of course, it is not like an egg. It is like a candy bar that has a
> "crunchy shell around a soft, chewy center" (Cheswick describing the Bell
> Lab's network defense in "The Design of a Secure Internet Gateway."
firewall-wizards mailing list