As Saso pointed out in one of his always-appreciated comments on deperimeterization,

What I find quite remarkable is our inability to learn from other people’s experiences. Take castles as prime examples of how layered security should work. Those that were built by masters of their art are still around (if they weren’t used later on as source of building stones for houses around the area, that is), to show how a good defense in depth works. There’s the perimeter layer, a hard-to-pass (unnoticed) area; then there’s first perimeter, with strong defences; then there’s second perimeter, in case first gets breached; … and all that is usually overseen by corner towers that can only reached via a staircase that winds clockwise, to hamper attacker’s sword wielding.

Alas, many took the “we have a firewall, we’re secure” approach and then shot holes right through their perimeter walls. :-)

Personally, I dislike the whole castle analogy. As soon as you expand it beyond the idea of an outer curtain and inner keep, the whole analogy breaks down.

What’s the analog to the towers? IPS? That would only be the case if archers were blind and half of them were firing indiscriminately into the courtyard.

But as it is, I agree that the best analog we have is that we’ve already used the stones from the outer curtain to build our businesses and punched windows through the walls of the keep so we can see out and let light and fresh air in.

If I actually had some good analogs to boiling oil or a cavalry counterattack, I might be on-board with the whole castle analogy. But as it is, I’m just reminded that for all their effectiveness in preventing an attack, a defensively-sound castle is a dark, smelly, cramped and generally miserable place to live. If you’ve ever lived behind an “effective” firewall, your IT experience was probably quite similar.

Image of Middleham Castle courtesy of flickr.

I agree with you that the castle analogy has been beaten to death and beyond (hence my attempt to revive it) and I agree that, just like all analogies, it only works this far and in only certain circumstances. From personal experience quite a while ago, I can say that a good analogue to boiling oil is - here comes another analogy - using your corporate lawyers. Cavalry counterattack? Your friendly law enforcement agents. Today’s challenges ask for, nay, demand, creative solutions.

I’m still in the dark about good analogue to the towers; IPS it ain’t, unless you expect your tower archers to occasionally fire a volley across general populace in the courtyard. Raising general security awareness in the corporation would help with half the task the spies, peasants, and messangers did in informing the feudal lord that someone is coming with ill intentions. But the towers were there for that last minute notification of arrival of a raiding party, as well as the final retreat.

But we’ve come a long way since the castles were used to defend livelyhood of the well off stinkers, who failed to learn from antiquity that running water, baths, sewerage, etc are good for you.

Castles went out of favour with western civilization’s discovery of gunpowder (if they asked their neighbours, they’d have had it quite a while ago) and entrance of canons.

Firewalls went out of favour when … Hm, they didn’t quite yet, did they? Maybe they have a purpose to serve, but not in the way they’re used now. I’ve heard application layer gateways are the next best thing. Cue in MJR and SEAL. ;-)

So what did we forget that will come to bite us around the corner? If only I knew.

Lovely photo; I wish I took it.

Any military analog is poor. Castles, especially because it’s defenses can attack back. Our defenses, at best, are designed to mainly prevent, and/or detect. What response we do have occurs in a passive manner, more like a battlefield medic than a counter attack. It’s not acceptable for example, for our IPS, when it finds a valid attack, to scan the attacker and perform an automated penetration (as fun as that might sound).

This, from a strategic standpoint, is a very unenviable position.

Hmm…corporate lawyers…I could go for them as cavalry. Mercenary, uncooperative, and usually useless calvary, but they’re the closest thing I ever see to a counterattack.

As to law enforcement, they’re the guys in the next castle over who wave back at you when you try to get their attention and only want to talk when you can do something for them.

Actually, automated reverse-scans are not much fun at all–it’s automating the rare bit of malicious fun a white-hat can have when people are having a go at your network defenses. You can map them and fingerprint them, you just can’t do anything more. Since we haven’t had enough analogies…It’s like blowing a raspberry from atop your castle wall and calling the attacker a “Silly English K…kanigget.”

De l’utilité des analogies…

J’ai découvert, avec quelque retard imputable à ce véritable sabbat de la sécurité informatique qu’est le SSTIC, cet excellent article de Scott Granneman intitulé “Security Analogies”. Il y discute de l’importance des analogies dans la sensi…