Saturday, September 11, 2004


Maybe it's because I'm at the end of a very long week, I'm on a
one-month contract, or I'm just in a mood. In any case, this is another
one of my oversensitive vents. You won't miss anything if you skip this

Call us old school but there are many of us that distrust the
current market move away from "defense in depth". Symantec's Barry Cioe
(Senior Director of Product Management) has an article over on eBCVG about the move towards "local"

You can skip most of the article, it's more or less a
justification to buy the new all-in-one products on the market today.
What I'm venting about is Mr. Cioe's opening

A decade ago,
Internet security pioneer Bill Cheswick proposed a network security
model that he famously characterized as a "crunchy shell around a soft,
chewy center." Today, as more and more "outsiders" - remote users,
business partners, customers, contractors - require access to corporate
networks, enterprises are finding the idea of a "soft center" obsolete,
if not downright dangerous.

From reading that,
you get the idea that Mr. Cheswick's ideas are now old, outmoded, and
dangerous. If you've ever read Mr. Cheswick's papers or listened to him
talk, you'd know that Mr. Cioe is in error. Bill Cheswick's original
use of the phrase is available here in this
. (You'll need a Postscript viewer.).

He used the phrase
initially (1990) to describe AT&T's network at the time of the (Morris)
Internet worm:

All of ARPA's
protection has, by design, left the internal AT&T machines untested - a
sort of crunchy shell around a soft, chewy

Obviously, it's not a security model
that he was proposing. Rather, he used it to describe an existing
condition and as a justification for hardening the system that your
security software runs on.

This kind of thing irks me to no end. It's
right up there on my list of annoyances (no there's not an actual list)
with the mainstream press's assumption that "may you live in interesting
times", in Chinese, is a compliment. (Hint: it's not. It's a

I'll shut up now. Apologies to Bill Cheswick.

No comments:

Post a Comment