Hello,
In order to properly evaluate any sort of defensive strategy, one must first attempt to answer the following questions : who is your adversary? what are their potential capabilities? do they have access to financial resources? to what extent? and do they have the luxory of time? what is the extent of *your* financial resources? what are *your* capabilities? A proper baseline must be established. However, I think the question should be modified to include access control mechanisms in general; otherwise, we are comparing apples to oranges. A network based firewall will not protect against a web application vulnerability, however an application firewall might, compartmentalization might, RBAC might... depends on the circumstances. Suppose, theoretically, we can quantify security and measure the level of security that a system possesses. What influence would the concept of susceptibility to attack have on this measurable quantity? Access control mechanisms would reduce exposure, in turn, reducing the system's susceptibility to attack, but does it make the system any more secure? Does the concept of vulnerability still exist within an environment of implicit trust? IMNSHO, access control is often misused as a tool of obfuscation. One should always assume that the security controls in place within an infrastructre CAN and WILL be circumvented; then, architect accordingly. The most common mistake made within the security industry is failure to do so. Bottom line -- system hardening is your first line of defence. Not doing so creates a risk. However manageable that risk may be in the short term, the survivability of your system will be reduced in the long term. ---------------------------------- John Daniele Technical Security & Intelligence http://www.tsintel.com ----------------------------------
