From: Ray Parks (rcparks@sandia.gov)
Date: Thu May 09 2002 - 15:47:35 EDT
"f.harster" wrote:
>
> Rhino Bond wrote:
...
> >
> >Any thoughts on this? Anyone seen a white paper on
> >such a set of rules?
> >
> David,
>
> actually this reminds me of the "Defense-in-Depth" concept applied to
> network/system security, but i may be wrong ;)
> have a look at this one in the meantime :
> http://rr.sans.org/start/primer.php
Just remember this aphorism - Depth without Breadth is useless.
We engaged in a series of experiments within the DARPA IA program in
which we proved that Defense in Depth is an over-rated concept. Layered
defenses can actually be weaker than single defenses because
administrators/developers think that another layer is providing the defense
they are ignoring. The results of these experiments were recorded in a
paper, unfortunately I don't have a cite at this time.
Bottom line - we were able to get through layers of defense in depth
because we could attack each layer in a different way. This allowed
attacks to woogle through to the goal despite multiple layers of defense.
-- Ray Parks rcparks@sandia.gov V:505-844-4024 F:505-844-9641 P:800-690-5288
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:28:08 EDT