Notes on Building Internet Firewalls

Ch. 3 - Security Strategies

• Least Privilege : Any object should have only the privileges needed to perform its assigned task, and no more.
• Many common security problems on the Internet can be viewed as failures to follow the principle of least privilege.
• Trying to enforce least privilege on people, rather than programs, can be particularly dangerous.
• Defense in Depth : Don't depend on just one security mechanism, no matter how strong it may be. Instead, install multiple mechanisms that back each other up.
• In situations where cost is low you should always deploy redundant defenses.
• Choke Point : A choke point forces attackers to use a narrow channel, which you can monitor and control.
• A choke point is useless if there is an effective way for an attacker to go around it.
• Weakest Link : Smart attackers are going to seek out the weak spot and concentrate their attentions there.
• There is always going to be a weakest link. The trick is to make that link strong enough and to keep the strength proportional to the risk.
• Fail Safe : If systems are going to fail, they should fail in such a way that they deny access to an attacker, rather than letting the attacker in.
• Two fundamental stances:
  • Default Deny: Specify only what you allow, prohibit everything else.
  • Default Permit: Specify only what you prohibit, allow everything else.
• About the only people who benefit from the default permit stance are attackers.
• Universal Participation : If someone can simply opt out of your security mechanisms, an attacker may be able to get through by attacking the exempt person's system first.
• People who are not voluntary participants will to to amazing lengths to circumvent security measures.
• It's worth spending a lot of energy to convince people to cooperate voluntarily, because you'll often spend just as much energy trying to force them to cooperate, with worse side effects.
• Diversity of Defense : You need not only multiple layers of defense, but different kinds of defense.
• If you are not careful, you can create diversity of weakness instead of diversity of defense. ie Trying to use security products from different vendors just for sake of diversity can cause more trouble than benefit.
• Systems configured by the same people are probably configured with the same weaknesses.
• Simplicity : If you don't understand something, you can't really know whether or not it's secure.
• Complexity provides all sorts of nooks and crannies to hide in.
• Once people start to expect a system to behave erratically, they won't be able to recognize security problems.
• Security through Obscurity : Obscurity is a perfectly valid security tactic, just not a very strong one.
• The less information attackers have, the better. It won't keep them out, but it may slow them down.