Tuesday, February 6, 2007


I guess the security industry is no better than the clothing industry when it comes to fashion (what's in and/or what's out). Those of us that ran *nix-based firewalls, back when Microsoft firewalls were just emerging, were told that we were aging morons when we said there was an advantage in running diverse systems in your boundaries (e.g., if you're user population used Windows, run Sun-based firealls). All of a sudden, 15 years later, we get "Defense in Depth is Dead! Long live Defense in Diversity!"

[*sigh*] For Tim Keanini's sake, let's turn the clock back a few years and look at some of the other paradigms that passed by on the carouseli (and are likely to come around again on the fashion wheel):

  • Use defense in depth. Use a variety of known tools to provide a layered protection where the weakness in one tool is protected by a strength in another tool (e.g., a virus scanner in conjunction with a firewall).
  • Use diversity. Using a Sun or BSDi-based firewall to protect your Windows-based network will prevent your boundary systems from being infected by the user who manages to bring on in on his laptop.
  • Trust but verify. Scan/examine everything before it gets plugged into your network.
  • It's not "if" but "when". Attackers' techniques are not static. Network security will always lag behind the ability to compromise.
  • Responsible disclosure. I have no comment other than we've come full circle on the argument set and seem to be going around for another orbit.
  • Intrusion detection is dead, long live intrusion prevention. We've all learned that each has its best use in specific situations.
  • Deep packet inspection is just as good as application proxying. Yeah, right. Again, it depends on what you're trying to do and what you're trying to protect against.

To the rest of you old farts out there: what've I missed?

No comments:

Post a Comment