North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Diversity as defense
On Mon, 19 Jan 2004 15:35:22 EST, email@example.com said: > The diversity, monoculture and agricutlure analogy makes nice press, but how > realistic is diversity as a defense. Well.. if diversity were to actually exist, it would be quite helpful. Right now, if you have a Windows exploit, you might as well point and pull the trigger because you have an 86% chance of nailing the target. Add in a Linux exploit and you're well over 90%. That's Russian Roulette with a 10-shooter and one bullet. On the other hand, let's think about if there were 10 products that each have 10% market share, and even a minimal attempt at deterring fingerprinting of the target, you're looking at a 90% chance that the exploit you launch will fail and leave a nasty mark on an IDS. Suddenly, it's 9 bullets and one blank. And even worse odds if you haven't been picking up all the exploits in the series - or not all the products are vulnerable. Unfortunately, it's not a realistic scenario, because... > Is cost the biggest hurdle or limited > avaiability of competitive products, or simply no bang for the buck by > diversifying. I can sum up *every* problem I've had in getting people to migrate in just 3 words: "vendor lock in". Enough said on that topic.