We've been seeing a bit of media attention of late to diversity as a technique to make networks more secure:
http://news.com.com/2009-7349_3-5140971.html?tag=nefd_lede
The usual suspect is Microsoft with 97% of OS's, but Cisco's 86% of the router market has been cited as well as SNMP vulnerabilities of two years ago. The diversity, monoculture and agricutlure analogy makes nice press, but how realistic is diversity as a defense. Is cost the biggest hurdle or limited avaiability of competitive products, or simply no bang for the buck by diversifying. We've run some simulations testing the effects of different levels of diversity, but wanted some feedback on feasibility.
http://arxiv.org/abs/cond-mat/0401017
Any comments, feedback or discussion would be greatly appreciated.
best,
sean
The diversity, monoculture and agricutlure analogy makes nice press, but how
realistic is diversity as a defense.
Well.. if diversity were to actually exist, it would be quite helpful. Right now,
if you have a Windows exploit, you might as well point and pull the trigger because
you have an 86% chance of nailing the target. Add in a Linux exploit and you're well
over 90%. That's Russian Roulette with a 10-shooter and one bullet.
On the other hand, let's think about if there were 10 products that each have 10%
market share, and even a minimal attempt at deterring fingerprinting of the target,
you're looking at a 90% chance that the exploit you launch will fail and leave a
nasty mark on an IDS. Suddenly, it's 9 bullets and one blank. And even worse odds
if you haven't been picking up all the exploits in the series - or not all the products
are vulnerable.
Unfortunately, it's not a realistic scenario, because...
Is cost the biggest hurdle or limited
avaiability of competitive products, or simply no bang for the buck by
diversifying.
I can sum up *every* problem I've had in getting people to migrate in just
3 words: "vendor lock in". Enough said on that topic.