Turning the Network Inside Out

Joel Snyder, Ph.D.

Senior Partner

Opus One

jms@opus1.com

Most networks focus on perimeter defense

[AT&Ts gateway creates] a sort of crunchy shell around a soft, chewy center. (Bill Cheswick, Design of a Secure Internet Gateway, April, 1990)

Big Bad Internet

Perimeter defense has its flaws

Protecting your network with a perimeter firewall is like putting a stake in the middle of a field and expecting the other team to run into it. #include <statistic on insider break-in percent> If your position is invisible, the most carefully concealed spies will not be able to get a look at it. (Sun-Tzu)

Big Bad Internet

Virus

Defense in Depth is the alternative

Make the network crunchy, not soft and chewy throughout. Turn the network inside-out: the security is on the inside, not on the outside

We dont do defense-in-depth because...

Cost The cost of adding firewall brains has been prohibitive Performance Firewalls are slower than Gigabit switches Management Determining the many-to-many relationships are difficult Authentication How do you know who has that IP address anyway?