Oh just the opposite of what you're claiming. Did you even read the article about the Beyond Corp project? It is 100% about thinking very hard about trust and making sure that the trust model used doesn't depend on the concept of internal/external network.
Also, the type of thinking where two or more machines are connected directly or are on their own separate network is what lands you in a situation like BACnet. Now you have a pentester with a vampire tap in the basement lobby sniffing your unencrypted traffic on your "trusted" BACnet. On Wed, Nov 11, 2015 at 6:47 PM, Leif Pedersen <bi...@hobbiton.org> wrote: > On Wed, Nov 11, 2015 at 4:29 PM, Robert Simmons <rsimmo...@gmail.com> > wrote: > >> I don't think there is such a thing as a trusted network. That is a >> unicorn >> these days. >> >> No networks should be considered trusted. >> > > oh baloney. That's just a clever way to say you want to stop thinking > about trust. > > If I've connected two machines directly, that network is more trustworthy > than any encryption. This is not rare, but typical for system recovery, > which is where nc and ssh with the none cipher are highly useful. > > It's also not a bridge too far to claim a network is trusted when it has > 1000 computers on a special-purpose processing network with access only > allowed by the admins that built it, and perhaps an API. In those networks, > the nodes work together like storage and CPUs work together in a single > computer. The only difference is that SATA disks and x86 CPUs are replaced > by general-purpose computers running Cassandra and Nginx, connected by > ethernet, so that you can connect thousands together instead of dozens. Do > you always insist on encryption on your SATA cables and memory buses? > > That sort of special-purpose network is not rare either; rather it's > typical for internet services where the load is beyond what a single > machine can handle, or clusters that run models that are too large for a > single machine. > > Trustworthy networks do exist. They just aren't the same networks as 20 > years ago. > > -- > > As implied by email protocols, the information in this message is > not confidential. Any middle-man or recipient may inspect, modify, > copy, forward, reply to, delete, or filter email for any purpose unless > said parties are otherwise obligated. As the sender, I acknowledge that > I have a lower expectation of the control and privacy of this message > than I would a post-card. Further, nothing in this message is > legally binding without cryptographic evidence of its integrity. > > http://bilbo.hobbiton.org/wiki/Eat_My_Sig > _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
