On Fri, Apr 18, 2014 at 7:06 PM, William Herrin <bill@herrin.us> wrote:
On Fri, Apr 18, 2014 at 6:19 PM, Eugeniu Patrascu <eugen@imacandi.net> wrote:
Defense in depth, to my knowledge - and feel free to correct me, is to have defenses at every point in the network and at the host level to protect against different attack vectors that are possible at those point.
And a heart attack is that you clutch your chest and fall over dead. You describe what defense in depth looks like, not what it is.
Defense in depth is that you have a fence and a security guard and a spotlight. And a locked door, an alarm system and a safe too. But you don't just have the fence, the door and the safe, a single form of protection at each point. That would be a shallow defense.
Put more succinctly: depth isn't where you place the defenses, it's how many defenses times the quality of each defense that an adversary has to slip past. If an adversary has to bypass three defenses, that's more shallow than if he has to bypass the same three and three more. Whether all six are at the perimeter or half are at the perimeter two are at the host and one is in the application is only indirectly relevant to the depth of your defense. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004