[hcazz]

Can you elaborate more on the firewall perspective? Your description makes it sound like for a three tier webapp[0], the entire pdf is suggesting to put a firewall around the presentation layer to limit it to appropriate sources, then the application tier to limit to appropriate sources, then the data tier to appropriate sources, etc.

While that should be done, and they are suggesting that, I feel like that's only covering section 2 at best. This doc isn't about adding other similar walls, it's reducing attack surface, limiting blast radius, and encouraging industry standards such as defense in depth, least privilege, and some elements of supply chain security. Your comment suggests you know that, but the PDF states many other things that have nothing to do with firewalls or differentiating good traffic from bad traffic.

My take on it is I see this document more as a source to point at internally at the NSA for best practices or a minimum bar to meet, not the best that the industry or the NSA has to offer. Even then, I'd assume that some organization externally will use this to say they aren't "up to the NSAs standards", and push for changes to fix their practices.

If it means that more folks learn of common practices in the industry and increase their security as a result, I'm all for folks sharing these practices, whether it's the NSA sharing it or a private organization.

[0] - https://www.ibm.com/cloud/learn/three-tier-architecture

[sandworm101]

I too am all for sharing best practices. I just disagree with some of those practices. Using a mixed bag of a particular product from a variety of vendors sounds great from a management perspective. It seems obvious that one might catch something that another misses. Having a variety of security products watching a network is like how a variety of COVID vaccinations can be better than repeating the same vaccine each time. But more vendors means a greater variety of associated traffic. You end up poking a hole in one firewall so that someone can manage some other firewall. Your IDS sees, and gets used to seeing, all sorts of strange management traffic. Your engineers become complacent, opening up holes upon request by anyone with the correct phone number. There is something to be said for a single strong firewall system from a single vendor. Then you have a single reporting/monitoring system with no shirking of responsibility. That one wall is manned/watched/managed as everyone's first priority. One very tall wall rather than a series of shorter ones.

The practice I would promote, but which is rarely ever used outside of defense and/or the biggest companies, is having separate networks for the really important stuff. Why is client data is traveling along the same network as employees streaming netflix? Have one network for general office junk and another physically-distinct network for client data. Why is the office birthday party announcement landing in the same inbox as an email from a "client" requesting a wire transfer? If separating these means some employees have to run two email inboxes or have two computers at their desk, so be it. But doing that costs money. Subscribing to a 3rd or 4th firewall vendor is cheap.