On Thu, Dec 3, 2020 at 3:06 PM Keith Moore <moore@xxxxxxxxxxxxxxxxxxxx> wrote:
On 12/3/20 1:54 PM, Christian Huitema wrote:
>
> I understand why you say that. Machines behind a NAT or a stateful
> firewall cannot be remotely probed for low level vulnerabilities, so
> you do get some reduction of the attack surface. My contention is that
> this reduction is far from being sufficient, because attackers have
> found many ways to project themselves through NATs or firewalls. If
> you allow for unsafe practices because the machines are behind a NAT
> or a firewall, these unsafe practices will result in catastrophic
> cascades of failures after a single breach happens.
+1
For that matter not even "air gapped" networks are really safe. There's
almost always some laptop or other that occasionally connects to such
networks, and malware can creep in that way.
There are viable controls but they are very expensive. At VeriSign we constructed a tier 6 SOC and kept the machines that perform offline operations in a very pricey safe along with the HSMs (see the CPS which documents all of that).
Firewalls are an effective means of mitigating risk. They do not eliminate risk. They don't come close.
Perimeter security is useful but incomplete. A starting point for any security analysis has to be 'what stuff do I have control over and what stuff do I have no control over'. But perimeter security has been declining in effectiveness for decades now. It is the 1980s level car alarm that every thief has learned how to disable.
To go further, we have to start looking a security policy and we have to look at separation of roles. And right now the research community focused on that approach is tiny. We are starting to get some traction with threshold cryptography which is the only technology that provides a real hope of protecting data at rest whether in the cloud or elsewhere.
Suggest doing security policy and people start bleating that it is hard.
Well if it was easy we would be doing it already.