|
<<
^
>>
Date: 2001-04-16
Krypto, Krieg & Clausewitz
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
Offenbar hat Bruce Schneier sich in der Militärgeschichte
letzlich etwas umgetan. Seine Argumentation legt nahe, daß
er der Lektüre Clausewitzens bedürftig wäre, aber nicht weiß,
dass "Vom Kriege" genau das erklärt, wohin sie zielt.
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
Natural Advantages of Defense: What Military History Can
Teach Network Security, Part 1
Military strategists call it "the position of the interior." The
defender has to defend against every possible attack. The
attacker, on the other hand, only has to choose one attack,
and he can concentrate his forces on that one attack. This
puts the attacker at a natural advantage.
Despite this, in almost every sort of warfare the attacker is at
a disadvantage. More people are required to attack a city (or
castle, or house, or foxhole) than are required to defend it.
The ratios change over history -- the defense's enormous
advantage in WW I trench warfare lessened with the advent of
the WW II blitzkrieg, for example -- but the basic truth
remains: all other things being equal, the military defender
has a considerable advantage over the attacker.
This has never been true on the Internet. There, the attacker
has an advantage. He can choose when and how to attack.
He knows what particular products the defender is using (or
even if he doesn't, it usually is one of a small handful of
possibilities). The defender is forced to constantly upgrade
his system to eliminate new vulnerabilities and watch every
possible attack, and he can still get whacked when an
attacker tries something new...or exploits a new weakness
that can't easily be patched. The position of the interior is a
difficult position indeed.
A student of military history might be tempted to look at the
Internet and wonder: "What is it about warfare in the real
world that aids the defender, and can it apply to network
security?"
Good question.
The defender's military advantage comes from two broad
strengths: the ability to quickly react to an attack, and the
ability to control the terrain.
The first strength is probably the most important; a defender
can more quickly shift forces to resupply existing forces,
shore up defense where it is needed, and counterattack. I've
written extensively about how this applies to computer
security: how detection and response are critical, the need
for trained experts to quickly analyze and react to attacks,
and the importance of vigilance. I've built Counterpane
Internet Security's Managed Security Monitoring service
around these very principles, precisely because it can
dramatically shift the balance from attacker to defender.
The defender's second strength also gives him a strong
advantage. He has better knowledge of the terrain: where the
good hiding places are, where the mountain passes are, how
to sneak through the caves. This provides the defender with
an enormous advantage. He can modify the terrain: building
castles or surface-to-air missile batteries, digging trenches or
tunnels, erecting guard towers or pillboxes. And he can
choose the terrain on which to stand and defend: behind the
stone wall, atop the hill, on the far side of the bridge, in the
dense jungle. The defender can use terrain to his maximum
advantage; the attacker is stuck with whatever terrain he is
forced to traverse.
On the Internet, this second advantage is one that network
defenders seldom take advantage of: knowledge of the
network. The network administrator knows exactly how his
network is built (or, at least, he should), what it is supposed
to do, and how it is supposed to do it. Any attacker except a
knowledgeable insider has no choice but to stumble around,
trying this and that, trying to figure out what's where and
who's connected to whom. And it's about time we exploited
this advantage.
Think about burglar alarms. The reason they work is that the
attacker doesn't know they're there. He might successfully
bypass a door lock, or sneak in through a second-story
window, but he doesn't know that there is a pressure plate
under this particular rug, or an electric eye across this
particular doorway. McGyver-like antics aside, any burglar
wandering through a well-alarmed building is guaranteed to
trip something sooner or later.
Traditional computer security has been static: install a
firewall, configure a PKI, add access-control measures, and
you're done. Real security is dynamic. The defense has to
be continuously vigilant, always ready for the attack. The
defense has to be able to detect attacks quickly, before
serious damage is done. And the defense has to be able to
respond to attacks effectively, repelling the attacker and
restoring order.
This kind of defense is possible in computer networks. It
starts with effective sensors: firewalls, well-audited servers
and routers, intrusion-detection products, network burglar
alarms. But it also includes people: trained security experts
that can quickly separate the false alarms from the real
attacks, and who know how to respond. This is security
through process. This is security that recognizes that
human intelligence is vital for a strong defense, and that
automatic software programs just don't cut it.
It's a military axiom that eventually a determined attacker can
defeat any static defense. In World War II, the British flew
out to engage the Luftwaffe, in contrast to the French who
waited to meet the Wehrmacht at the Maginot Line. The
ability to react quickly to an attack, and intimate knowledge
of the terrain: these are the advantages the position of the
interior brings. A good general knows how to take advantage
of them, and they're what we need to leverage effectively for
computer security.
http://www.counterpane.com/crypto-gram-
0005.html#ComputerSecurityWillWeEver Learn> The
importance of detection and response in network security:
<http://www.counterpane.com/crypto-gram-
0005.html#ComputerSecurityWillWeEver Learn>
Marcus Ranum has written and spoken about Internet burglar
alarms. <http://web.ranum.com/pubs/pdf/burglar-alarms.pdf>
Natural Advantages of Defense: What Military History Can
Teach Network Security, Part 1
Military strategists call it "the position of the interior." The
defender has to defend against every possible attack. The
attacker, on the other hand, only has to choose one attack,
and he can concentrate his forces on that one attack. This
puts the attacker at a natural advantage.
Despite this, in almost every sort of warfare the attacker is at
a disadvantage. More people are required to attack a city (or
castle, or house, or foxhole) than are required to defend it.
The ratios change over history -- the defense's enormous
advantage in WW I trench warfare lessened with the advent of
the WW II blitzkrieg, for example -- but the basic truth
remains: all other things being equal, the military defender
has a considerable advantage over the attacker.
This has never been true on the Internet. There, the attacker
has an advantage. He can choose when and how to attack.
He knows what particular products the defender is using (or
even if he doesn't, it usually is one of a small handful of
possibilities). The defender is forced to constantly upgrade
his system to eliminate new vulnerabilities and watch every
possible attack, and he can still get whacked when an
attacker tries something new...or exploits a new weakness
that can't easily be patched. The position of the interior is a
difficult position indeed.
A student of military history might be tempted to look at the
Internet and wonder: "What is it about warfare in the real
world that aids the defender, and can it apply to network
security?"
Good question.
The defender's military advantage comes from two broad
strengths: the ability to quickly react to an attack, and the
ability to control the terrain.
The first strength is probably the most important; a defender
can more quickly shift forces to resupply existing forces,
shore up defense where it is needed, and counterattack. I've
written extensively about how this applies to computer
security: how detection and response are critical, the need
for trained experts to quickly analyze and react to attacks,
and the importance of vigilance. I've built Counterpane
Internet Security's Managed Security Monitoring service
around these very principles, precisely because it can
dramatically shift the balance from attacker to defender.
The defender's second strength also gives him a strong
advantage. He has better knowledge of the terrain: where the
good hiding places are, where the mountain passes are, how
to sneak through the caves. This provides the defender with
an enormous advantage. He can modify the terrain: building
castles or surface-to-air missile batteries, digging trenches or
tunnels, erecting guard towers or pillboxes. And he can
choose the terrain on which to stand and defend: behind the
stone wall, atop the hill, on the far side of the bridge, in the
dense jungle. The defender can use terrain to his maximum
advantage; the attacker is stuck with whatever terrain he is
forced to traverse.
On the Internet, this second advantage is one that network
defenders seldom take advantage of: knowledge of the
network. The network administrator knows exactly how his
network is built (or, at least, he should), what it is supposed
to do, and how it is supposed to do it. Any attacker except a
knowledgeable insider has no choice but to stumble around,
trying this and that, trying to figure out what's where and
who's connected to whom. And it's about time we exploited
this advantage.
Think about burglar alarms. The reason they work is that the
attacker doesn't know they're there. He might successfully
bypass a door lock, or sneak in through a second-story
window, but he doesn't know that there is a pressure plate
under this particular rug, or an electric eye across this
particular doorway. McGyver-like antics aside, any burglar
wandering through a well-alarmed building is guaranteed to
trip something sooner or later.
Traditional computer security has been static: install a
firewall, configure a PKI, add access-control measures, and
you're done. Real security is dynamic. The defense has to
be continuously vigilant, always ready for the attack. The
defense has to be able to detect attacks quickly, before
serious damage is done. And the defense has to be able to
respond to attacks effectively, repelling the attacker and
restoring order.
This kind of defense is possible in computer networks. It
starts with effective sensors: firewalls, well-audited servers
and routers, intrusion-detection products, network burglar
alarms. But it also includes people: trained security experts
that can quickly separate the false alarms from the real
attacks, and who know how to respond. This is security
through process. This is security that recognizes that
human intelligence is vital for a strong defense, and that
automatic software programs just don't cut it.
It's a military axiom that eventually a determined attacker can
defeat any static defense. In World War II, the British flew
out to engage the Luftwaffe, in contrast to the French who
waited to meet the Wehrmacht at the Maginot Line. The
ability to react quickly to an attack, and intimate knowledge
of the terrain: these are the advantages the position of the
interior brings. A good general knows how to take advantage
of them, and they're what we need to leverage effectively for
computer security.
The importance of detection and response in network
security:
http://www.counterpane.com/crypto-gram-0005.html#ComputerSecurityWillWeEver Learn
Marcus Ranum has written and spoken about Internet burglar
alarms.
http://web.ranum.com/pubs/pdf/burglar-alarms.pdf
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
edited by Harkank
published on: 2001-04-16
comments to office@quintessenz.at
subscribe Newsletter
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
<<
^
>>
|
|
|
|