What I understand Gordon to be saying is that machine A is known insecure
such that it can not be directly exposed to a public (or in this case, the
campus) network. Phrased another way, the probability of compromise of A
is 100% while the probability of compromise of B if managed properly is
less than 100%.
Yes, I agree that a firewall will make it more difficult to get to, in the
same way 'n' systems in series would make it more difficult. On the other
hand, that is 'n' systems to manage and 'n' systems to break.
I belive that for the application as described, the point is to allow data
stored on the insecure box to be accessible by the broader network. This
use case is not about preventing targeted compromise where your solution
would be ideal.
Received on Tue Aug 21 17:17:41 2007
This archive was generated by hypermail 2.1.8 : Tue Aug 21 2007 - 17:17:44 CST