-----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Wednesday, November 16, 2011 9:02 AM To: Jay Ashworth Cc: NANOG Subject: Re: Have they stopped teaching Defense in Depth?
On Wed, 16 Nov 2011 08:36:21 EST, Jay Ashworth said:
----- Original Message -----
From: "Jimmy Hess" <mysidia@gmail.com>
Or, the attack is against a legitimate user's outbound connection, for example: a user behind the firewall connects to a web site, a vulnerability in their browser is exploited to install a trojan -- the trojan tunnels to the attacker over an outgoing port that is allowed on the firewall.
Oh, certainly; I have lots of web browsers running on my servers.
All The World Is Not A Workstation, guys.
Is there *anything* on the allegedly protected subnet that has a web browser running on it? Maybe that laptop on the crash cart that you use for downloading firmware and installing it on storage appliances? If it's a corporate-sized NAT, do you have any desktops that have network reachability to the servers (probably do - if the desktops can't reach the servers,
servers aren't useful are they?) and also have web browsers that go to the outside world?
I compromise an ad server someplace. Bob over in Accounting visits
CPA forum on the accountants-r-us.com website looking for suggestion on how to handle a tax issue. I now have control of Bob's workstation, and the question of whether your firewall does NAT or not just became totally moot.
Defense in depth doesn't mean building a second Maginot Line behind
the the the
first is a good idea - it means you *also* have a capable army that will stop a German invasion coming in via Belgium.
That's absurd, no one could get an army across that terrain... Jamie