Skip to content

Commit 5a37aa9

Browse files
llpetersonllpeterson
committed
emphaize defnese in depth
1 parent 82d760c commit 5a37aa9

File tree

1 file changed

+22
-14
lines changed

1 file changed

+22
-14
lines changed

firewall.rst

Lines changed: 22 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -16,14 +16,22 @@ understand that writing software that is not vulnerable to being
1616
hacked is an important part of the overall security landscape. It is
1717
also a broad topic, starting with questions about the programming
1818
language you use (e.g., memory-safe languages like Rust are less
19-
susceptible than, say, C). Such topics are outside the scope of this
20-
book, where we instead take a network-centric view, and ask: *"What can
21-
we do in the network to either minimize opportunities for malware to
22-
exploit vulnerable software, or to mitigate the impact of such an
23-
exploit succeeding."* Firewalls, and more generally *security
24-
appliances*, are part of the answer. They are devices placed at
25-
strategic points throughout the network that identify and respond to
26-
malicious traffic.
19+
susceptible than, say, C), and also including a variety of OS problems
20+
(e.g., how to efficiently enforce isolation between processes). Such
21+
topics are outside the scope of this book, where we instead take a
22+
network-centric view, and ask: *"What can we do in the network to
23+
either minimize opportunities for malware to exploit vulnerable
24+
software, or to mitigate the impact when such exploits succeed."*
25+
Firewalls, and more generally *security appliances*, are part of the
26+
answer. They are devices placed at strategic points throughout the
27+
network that identify and respond to malicious traffic.
28+
29+
The other big-picture takeaway is that firewalls and other security
30+
appliances illustrate the principle of defense in depth introduced in
31+
Chapter 2. It would be ideal for all the software we run to be
32+
bullet-proof, but for those times it isn't—e.g., when a new bug is
33+
discovered—we need a second line of defense. Network appliances play
34+
that role.
2735

2836
9.1 Basic Principles of Firewalls
2937
-----------------------------------
@@ -521,12 +529,12 @@ learning algorithms to classify traffic as "normal" or
521529
have their respective strengths and weaknesses, it is common to find
522530
both approaches used in modern IDS/IPS systems.
523531

524-
The proliferation of security appliances brings us back to one the
525-
security principles discussed in Chapter 2: defense in depth. For
526-
example, if we had a perfect firewall, we might not require an IDS or
527-
IPS. However, knowing that firewalls will never block all forms of
528-
malicious traffic leads to the conclusion that an IDS/IPS is worth
529-
having as a second line of defense.
532+
The proliferation of security appliances again highlights the
533+
principle of defense in depth. For example, if we had a perfect
534+
firewall, we might not require an IDS or IPS. However, knowing that
535+
firewalls will never block all forms of malicious traffic leads to the
536+
conclusion that an IDS/IPS is worth having as a second line of
537+
defense.
530538

531539
9.4.2 DoS Mitigation
532540
~~~~~~~~~~~~~~~~~~~~~~~~~~~

0 commit comments

Comments
 (0)