> -----Original Message----- > From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu] > Sent: Wednesday, November 16, 2011 9:02 AM > To: Jay Ashworth > Cc: NANOG > Subject: Re: Have they stopped teaching Defense in Depth? > > On Wed, 16 Nov 2011 08:36:21 EST, Jay Ashworth said: > > ----- Original Message ----- > > > From: "Jimmy Hess" <mysi...@gmail.com> > > > > > Or, the attack is against a legitimate user's outbound connection, > for example: > > > a user behind the firewall connects to a web site, a vulnerability > > > in their browser is exploited > > > to install a trojan -- the trojan tunnels to the attacker over an > > > outgoing port that is allowed on the firewall. > > > > Oh, certainly; I have lots of web browsers running on my servers. > > > > All The World Is Not A Workstation, guys. > > Is there *anything* on the allegedly protected subnet that has a web > browser > running on it? Maybe that laptop on the crash cart that you use for > downloading firmware and installing it on storage appliances? If it's > a > corporate-sized NAT, do you have any desktops that have network > reachability to > the servers (probably do - if the desktops can't reach the servers, the > servers > aren't useful are they?) and also have web browsers that go to the > outside > world? > > I compromise an ad server someplace. Bob over in Accounting visits the > CPA forum > on the accountants-r-us.com website looking for suggestion on how to > handle > a tax issue. I now have control of Bob's workstation, and the question > of whether > your firewall does NAT or not just became totally moot. > > Defense in depth doesn't mean building a second Maginot Line behind the > first > is a good idea - it means you *also* have a capable army that will stop > a > German invasion coming in via Belgium.
That's absurd, no one could get an army across that terrain... Jamie