On Thu, Jan 05, 2012 at 10:22:55AM -0500, Rich Kulawiec wrote: > On Tue, Dec 06, 2011 at 01:44:05PM -0800, Jonathan Lassoff wrote: > > Cramming every little feature under the sun into one appliance makes for > > great glossy brochures and Powerpoint decks, but I just don't think it's > > practical. > > 1. It's an excellent way to create a single point-of-failure. > > 2. I prefer, when building defense-in-depth, to build the layers with > different > technology running on different operating systems on different architectures. > There's no doubt this adds some complexity and that it requires judicious > design to be scalable, maintainable, and so on. But it raises the bar > for attackers considerably, and it gives defenders a fighting chance of > discovering a breach in one layer before it becomes a breach in all layers. > > 3. One of the mistakes we all continue to make, whether we have our > paws on integrated appliances or separate systems, is default-permit. > We really need to make sure that the syntactic equivalent of "deny > all from any to any" is the first rule installed in any of these, > and then work from there. > > p.s. In re Powerpoint, I've long held that the appropriate response to > "I have a PowerPoint presentation..." is for everyone else in the room > to find a strong rope and a sturdy tree, and do what must be done for > the sake of humanity.
"Power corrupts. PowerPoint corrupts absolutely." As regards avoidance of SPOFs, I also prefer multiple layers in different technologies &c. A monoculture is horribly vulnerable. I grant that network hardware isn't exactly Ireland just before the potato famine, but the parallels are there and applicable in at least some senses. -- Mike Andrews, W5EGO [email protected] Tired old sysadmin
