Submit your comments on this article |
Science & Technology |
It's Worse Than You Can Understand |
2011-06-19 |
Posted by:Uncle Phester |
#1 Trying to standardize things is actually pretty bad from a security standpoint. You want different groups to use different policies and you want them to have different equipment, too. An attack that works against Cisco, might not work against Brocade or Force 10, or Extreme. Same with the operating systems of the servers involved. You want a mix of different operating systems so that they don't all share the same fate when they find themselves under attack. Consolidation sounds like a great idea to a control freak who wants to make sure everything is just so, but the best security is for things to be quite separate little security domains using different policies and different equipment. An attack that works against one "box" then might not work at all against the rest of the network. If you have a consolidated policy, a successful attack in one location works just as well through the entire network and you find the entire network compromised. Heck, it is currently possible to set up a communications channel completely undetected by firewalls using various options and extension headers of IPv6. There is no such thing as a "secure" network that is connected to the Internet or that is connected to anything that is connected to the Internet. Air gap is the only real security. Anything else is just wishful thinking. |
Posted by: crosspatch 2011-06-19 20:25 |