Re: [fw-wiz] SCADA

On Tue, 14 Apr 2009, Marcus J. Ranum wrote:

Paul D. Robertson wrote:
The other side of the coin is that adding layers adds complexity and code- and adding code adds bugs- so you don't *always* get a net security gain by adding "protecion."

You raise a problem that I've spent too much time pondering. In effect,
it refutes the "conventional wisdom" of computer security. Which goes
as follows:
Item #1 - Defense in depth is good
Item #2 - Complexity is the enemy of security

If #2 is true, #1 can't be, because defense in depth adds complexity.


add multiple simple layers rather than trying to do everything in one very complex system.

with the traditional firewalls architecture you add complexity in your network to make the firewalls choke points and apply fairly simple controls there rather than trying to implement the same protection on a per-host bases.

or putting it another way, if each component is simple enough to be easily understood (and checked), then you have a hope of understanding (and checking) sets of components.

but if a single component's configuration and capabilities gets to the point where it is too complex to be understood or checked, you have no hope of understanding or checking your network as a whole.

defining when a component has become 'too complex' is a subjective thing, as is determining when the arrangement of those components has become too complex. different people will make different trade-offs.

David Lang
firewall-wizards mailing list

Relevant Pages

  • Nortel Network Engineer Needed - Contract in Northampton
    ... A good understanding of VoIP, IP Security and Firewalls would be ...
  • Re: Defense in Depth
    ... What is meant by "layers" of security, is this: the entry points that must be ... Physical Layer - Physical access to the resources. ... attacks and other attacks that go after the software itself. ... "layer" in one long chain (lots of firewalls). ...
  • RE: Wireless Security for Home Users
    ... for most home users to create and/or manage 2 firewalls and a DMZ. ... As with most network security, ... investigate additional security features available from the WAP ...
    ... > 1) I don't trust MS products for security related tasks. ... firewalls running on NT? ... necessary steps to mitigate the risk and protect yourself. ... We still had six boxes hit. ...
  • RE: IDS is dead, etc
    ... Most firewall logs are just as tough to decipher as IDSs. ... Automated security analytics is a tough animal I don't care what the system. ... firewalls and IDSs, not just IDSs. ... There is no solution to these problems, therefore IDS is dead and we ...