tag:blogger.com,1999:blog-4088979.post7780754348094671889..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Mesh vs ChainRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-4088979.post-57203932660744266742007-03-30T12:55:00.000-04:002007-03-30T12:55:00.000-04:00The thing about history is that it never ends, doe...The thing about history is that it never ends, does it? <BR/><BR/>There always new chapters being added.<BR/><BR/>To say that based on a history of past failures that no one will ever succeed is a bit fatalistic. All that says is that the odds against success appear to high. Maybe the right guy smart enough to succeed just has not come along yet.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-35670002163048927382007-03-30T08:36:00.000-04:002007-03-30T08:36:00.000-04:00History.History.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-33848253839171275462007-03-30T08:02:00.000-04:002007-03-30T08:02:00.000-04:00Thomas,Good point. This is along the same lines a...Thomas,<BR/><BR/>Good point. This is along the same lines as the statement that "prevention eventually fails"...if something isn't done properly and no effort is made to implement something correctly, then how can one claim that it doesn't work?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-66277579439590313792007-03-29T18:53:00.000-04:002007-03-29T18:53:00.000-04:00Thomas has it mostly right. The other examples ma...Thomas has it mostly right. The other examples make my head hurt because they're non-sequiturs.<BR/><BR/>I tried to clear this up <A HREF="http://rdist.root.org/2007/03/29/chain-defense-in-depth-and-mesh-models-again/" REL="nofollow">in another post</A>. Hope it helps.Unknownhttps://www.blogger.com/profile/11280644250533859717noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-84740638290881418882007-03-29T16:42:00.000-04:002007-03-29T16:42:00.000-04:00He's not saying "defense in depth" is the same as ...He's not saying "defense in depth" is the same as a chain. It is worth noting, though, that "defense in depth" designs in network and systems security so commonly devolve to "chain" designs that "defense in depth" has been largely discredited.<BR/><BR/>Mesh design is definitely not the same as "defense in depth"; the concepts are orthogonal. A "defense in depth" design for game state protection in an MMORPG could employ both serverside and clientside checks; that's depth. The clientside defenses could integrate crypto primitives, timing, and environmental probes; that's mesh.Thomas Ptacekhttps://www.blogger.com/profile/14479575601987181670noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-52685080728883001332007-03-29T10:46:00.000-04:002007-03-29T10:46:00.000-04:00A City Is Not a Tree, Christopher Alexander, origi...<A HREF="http://www.rudi.net/pages/8755?PHPSESSID=c48b42c5fb5a7848392351f376aec93b" REL="nofollow"> A City Is Not a Tree</A>, <I><B>Christopher Alexander</B>, originally published in the 1960's, reprinted many times since then.</I><BR/>Worth a read, it's a short essay on design systems when applied to urban development, and I'd say it's one of my favorite expressions of this kind of thinking.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-82406549444572444062007-03-29T07:12:00.000-04:002007-03-29T07:12:00.000-04:00Defense-in-depth comes from military history where...<I>Defense-in-depth comes from military history where a defender would build a series of positions and then fall back each time the enemy advanced forward through the first positions.</I><BR/><BR/>This is an overly-simplistic definition of "defense-in-depth". There are other components included, such as the use of terrain and obstacles to channelize the enemy's approach, bottleneck them, and slow them down. There is also the initial use of longer-range, more lethal weaponry to get the approaching enemy to button up, as well as to whittle their forces.<BR/><BR/>In a network sense, the "defense in depth" implementation is more than just "<I>A chain implies a long sequence of independent checks, each assuming or relying on the results of the others</I>". For example, on an ingress point into the network, if there is a router followed by a firewall, and then followed by an IDS, I would mirror the rulesets on each. That way, I knew I had an issue if the firewall started picking up port 139 on the external interface, as that would mean that the corresponding rule on the router had failed, or I had another issue. I would then have to escalate if the IDS started picking up port 139 traffic coming from the firewall, as that meant that both the router and the firewall rulesets had failed or been compromised somehow.<BR/><BR/>HarlanH. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-51958536117892931582007-03-28T22:19:00.000-04:002007-03-28T22:19:00.000-04:00Wouldn't a mesh defense be an all or nothing propo...Wouldn't a mesh defense be an all or nothing proposition? It succeeds or fails based on the whole design. Therefore, if there is design assumption made that isn't valid that's exploitable, you could lose everything. I'm reminded of John Walker the spy. He and family members obtained most of the crypo keys and codes the Navy used for 10 or more years. The Russians needed the hardware though because just the keys and codes by themselves were useless. They had the North Koreans seize the U.S.S. Pueblo to obtain the hardware part of the crytographic equations. Game over and certain key US Naval communications were compromised for 10-15 years. Same thing with the German's Enigma systems during WWII, though some Gestapo codes were never cracked. You might need some sort of hybrid defense-in-depth/mesh architecture to really succeed.jbmoorehttps://www.blogger.com/profile/09751110750712243573noreply@blogger.com