Re: [fw-wiz] SCADA

On Tue, Apr 14, 2009 at 6:49 PM, Marcus J. Ranum <mjr@xxxxxxxxx> wrote:
Paul D. Robertson wrote:

The other side of the coin is that adding layers adds complexity and code-
and adding code adds bugs- so you don't *always* get a net security gain by
adding "protecion."

You raise a problem that I've spent too much time pondering. In effect,
it refutes the "conventional wisdom" of computer security. Which goes
as follows:
Item #1 - Defense in depth is good
Item #2 - Complexity is the enemy of security

If #2 is true, #1 can't be, because defense in depth adds complexity.


Perhaps a more nuanced discussion on the nature of complexity is in
order. If I perform 5 simple but very beneficial (Securitywise) things
to achieve better defense in depth, how much complexity have I really
added compared to implementing 5 very intricate things?

There will always be a set of tradeoffs to consider. Where one ends up
depends very much on where one thinks one is going.
firewall-wizards mailing list

Relevant Pages

  • RE: Security vs. Simplicity
    ... Subject: Security vs. Simplicity ... with complexity ALWAYS comes more security problems. ... Because there's SO MUCH ATTACK ... Gain a laser like insight into what is covered on the exam, ...
  • Re: Security vs. Simplicity
    ... We can cover most of the vulnerabilities, ... Read a security documentation on section maintenance; ... argument about complexity impacting security. ...
  • Re: Using S-MIME (encrypted & signed email)
    ... encrypt email is about better security practice, ... >> preceived view of complexity in deployment? ... I don't know how important these posts really are... ...
  • Re: [fw-wiz] SCADA
    ... Defense in depth is traditionally considered 'good' for security because it's acknowleged that a single layer of security cannot be 100% perfect, and any imperfection in a single-layered model leaves you defenseless. ... Complexity is traditionally considered 'bad' because the more variables there are in a system the more potential failure points exist; that's not to say that a reasonably complex system must be 'bad' though or even 'the enemy'. ...
  • Re: [fw-wiz] Ok, so now we have a firewall, were safe, right?
    ... regarding product and UI complexity. ... take our business elsewhere" era are IMO permanently traumatized into ... as much an embarrassment to users as vendors. ... Automation and security aren't good bedfellows. ...