Someone stated previously something like "most security breakins
care caused by people attacking networks from within." Now, there's a
statement that could use some backup information, huh? I'd be
interested in the statistics and data from whence that comment came.
> Wow, this should provoke a discussion other than stupid "hacker list" or "root".
> I have seen the model of "hard surface, gooey interior" explicitly advocated.
> I suspect reliance on this model, rather than laziness is the cause.
John, I don't think you've seen it "advocated" as much as you've seen
it "accepted." You are (nearly) quoting Bill Cheswick, but many share
the view. The view, though, is -- I believe -- not that a "hard shell
around a soft, chewy center" is *good* but that it is nearly
impossible to enforce any other model in a large organization and, so,
is a good *assumption* to make. In that way you don't end up relying
on host based security.
I recently, in a talk, made the somewhat obvious observation (it's a
gift :-)) that "firewalls are not enough" and that firewalls as *one*
of the methods and mechanisms for security perimeter enforcement are
good, but should come after 1) a security policy, 2) business needs
analysis, and 3) a risk analysis. Most people now-a-days, jump right
to a firewall without thinking about the other 3 steps (or other
methods and mechanisms).
So, I agree with the original poster of this stream, but would not
mind knowing where he got the idea that most security problems are
from within and I wanted to softly disagree with John about the hard
shell and soft center.