On the Security of Walls

Interesting history of the security of walls:

Dún Aonghasa presents early evidence of the same principles of redundant security measures at work in 13th century castles, 17th century star-shaped artillery fortifications, and even “defense in depth” security architecture promoted today by the National Institute of Standards and Technology, the Nuclear Regulatory Commission, and countless other security organizations world-wide.

Security advances throughout the centuries have been mostly technical adjustments in response to evolving weaponry. Fortification—the art and science of protecting a place by imposing a barrier between you and an enemy—is as ancient as humanity. From the standpoint of theory, however, there is very little about modern network or airport security that could not be learned from a 17th century artillery manual. That should trouble us more than it does.

Fortification depends on walls as a demarcation between attacker and defender. The very first priority action listed in the 2017 National Security Strategy states: “We will secure our borders through the construction of a border wall, the use of multilayered defenses and advanced technology, the employment of additional personnel, and other measures.” The National Security Strategy, as well as the executive order just preceding it, are just formal language to describe the recurrent and popular idea of a grand border wall as a central tool of strategic security. There’s been a lot said about the costs of the wall. But, as the American finger hovers over the Hadrian’s Wall 2.0 button, whether or not a wall will actually improve national security depends a lot on how walls work, but moreso, how they fail.

Lots more at the link.

Tags: , ,

Posted on February 19, 2018 at 4:24 PM24 Comments

Comments

hooodathunkit February 19, 2018 7:44 PM

@Alex
Hadrian’s Wall, Maginot Line. Same thing in different eras?

Heck no! Hadrian’s wall (fallback to the Antonine wall) was a realistic and practical line of defense. It was built at the limit of Romanized Britain’s ability to hold; a balance between outright war and full peace, or the economic compromise between income from governed land and expenditures for warfare. Both walls were intended to stop raiders, gypsies, and nomads, serve as army barracks, small depots, customs offices, etc.

Both walls also marked real divisions, slightly changed since their construction, that exist today. The Antonine marks the approximate division between Scots Highland-Lowland, and the Hadrian is roughly the border of England and Scotland.
__
The Maginot Line was a fortress in France built to stop the advance of an army from a different time. No wall, no line, it was a series of thousands of forts, mini-forts, and tank barriers with interlocking fields of fire. To French regret they scrimped in a couple spots they felt impassible, weapons were locked ‘facing the enemy’, no anti-aircraft, and no ‘Plan B’.

Mike Barno February 19, 2018 11:39 PM

@ hooodathunkit :

The Maginot Line was a fortress in France built to stop the advance of an army from a different time.

A classic example of the axiom that the military establishment [of just about any nation] is prepared to fight the last war, but not the next war. They learn specific lessons from what went wrong last time, and try to implement defensive measures (or occasionally prepare offensive measures) for those; but they rarely generalize the lessons enough or use enough innovative thinking to adapt to new technological developments. When archery, or aircraft, or mechanization, or some other development makes radical changes to what is possible, the generals and admirals fail to anticipate it, and the privates and ensigns suffer the consequences.

Certainly this axiom continues to describe government-run efforts at data security, communications-network security, propaganda security, and so forth.

echo February 20, 2018 12:21 AM

Reading through this article now…

I read the other week about the discovery of a complete ‘causway enclosure’ in Berkshire dating from 5,500 BC.

https://www.theguardian.com/science/2018/feb/08/discovery-of-windsor-neolithic-monument-excites-archaeologists

I suspect UK institutions have similar problems to fortresses. I believe a large part of this is due to UK constititional law which is, essentially, feudal plus a democratic deficit on human rights and basic respect. As an example when I discussed requesting medical support for various health conditions being used to apply for disability benefits this doctor reacted in horror that this would “open the floodgates”. Within the past month or so led by the UK government it has now become an official policy discussion with a strong possibility of becoming policy. I have since learned this particular doctor no longer works at the clinic.

It seems the discussion about organisations as fortresses, and Platos and Aristotles observations about fortresses rumbles on.

This is a long essay on the ‘power of the purse’ written by an American academic but with some eye quinting can reveal similarities with UK state finance and vice versa.

Congress’ Power of the Purse, Kate Smith, Yale Law School
http://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article=2282&context=fss_papers

Winter February 20, 2018 1:58 AM

Remember that “walls” like the Great Wall of China were also protected roads that allowed the quick and safe deployment of troops. The same holds for the walls of fortresses.

It should be reminded that a fortress is only strong if there are people defending it.

Z.Lozinski February 20, 2018 4:57 AM

One interesting development is the move away from computer and network security models based on an inside/outside that is safeguarded by firewalls etc. The most complete version I have seen described is Google’s “BeyondCorp” which moves access control from the perimeter to individual devices and users:

https://cloud.google.com/beyondcorp/

The challenge for physical security, is that “BeyondCorp” is a difficult model to translate from the virtual world to the physical. If you think it through, you need a pervasive identity management system for everything on the inside, so any access to Government services much go through authentication. In principle this like India’s Aadhaar system.

A couple of points in the original article are a bit dubious: “a anti-cavalry measures called cheval de frise [sic]”. I don’t believe cavalry was a feature of Irish warfare in the -5C. They are more likely to slow down the exfiltration of goods after a raid.

The other question from a security point of view.

(a) Is a wall/barrier designed to prevent penetration?

(b) Is the wall/barrier designed to slow penetration and make it easier to detect an attack? (The principle behind the Underwriters Laboratory ratings for safes. You cannot make an impregnable safe, but you can raise the time budget for a successful attack beyond the owner’s response time).

(c) Is the wall/barrier designed to slow/prevent exfiltration? (Arguable Hadrian’s Wall, but in a cybersecurity world where you have to assume the existence of 0-day attacks, maybe preventing the extraction of data should be the goal).

TheInformedOne February 20, 2018 10:32 AM

Walls of the future should be more of a concern. They can be electronic & virtual, allowing more discrete and focused points of enforcement. It’s simply a fact that in order to keep a geo-fixed population safe, perimeter security forces must be able to either control migration, or alternatively account for all the members of that population. Assuming 100% of the population is “marked” (biometrics, Dongles, ID’s), then when someone shows up as unidentified they will stick out like a sore thumb. Since the U.S. can’t afford (or doesn’t want to) to physically obstruct it’s thousands of miles of border, this is perhaps becoming the primary focus of the U.S. perimeter enforcement in preventing terrorism. The only problem is that the U.S. was founded on principles of freedom, which in turn implies a certain amount of anonymity for it’s citizenry, even from it’s own government. Do you see the paradox? You have the RIGHT (not just privilege) to bear arms. However, your taxes pay for a government that (currently) wants to reduce your anonymity under the guise of keeping the whole population “safe”. The founding fathers already accounted for this in the 2nd & 4th amendments. If all the citizens bear arms, it will be a difficult land for a foreign invader to conquer. Aerial domination is only a partial occupation. It still (and always) takes boots on the ground to “hold” a territory. I’m sure eventually the U.S. borders will become so heavily surveilled that even a frog will have trouble swimming across the Rio. Brick and mortar walls are becoming unnecessary. Should we be concerned?

Duncan Kinder February 20, 2018 4:10 PM

May I also point out that turtles have been around for more than 200 million years?

And that a turtle was victor in a famous race.

Clive Robinson February 20, 2018 6:31 PM

@ Z.Lozinsky,

One interesting development is the move away from computer and network security models based on an inside/outside that is safeguarded by firewalls etc.

It’s been a long time coming but the wheel is rotating back to the notion of “Bastion Hosts” and what they were supposed to be.

Firewals got where they are on the perimeter because it made developers lives easier. Thus security became like the skin of a balloon. One penetration and everything went pop.

For most of that time firewalls have been a “checkbox item” rather like fancy wrought iron gates on a farm, or as others used to put it “A safe door on a tent”

Even today few people understand what a “choke point” is realy all about and why it needs to be designed and instrumented in certain ways and what should likewise be done on the inside. In part because some of the reasons are still technically “secret”, thus don’t get taught, in part because it makes certain peoples life easier, but also because of a frequent mistake that comes up in “target rich environments” that makes the likes of “best practice” appear falsely to work.

The latter point is the big hurdle to get across before you can act on the other points. It occurs becaus people don’t understand the map of the territory they are in, because they lack measurands thus can not make qualitative analysis, which gives rise to not just misinterpretation but not understanding the differences at the input.

Put simply there is a spectrum of attackers many of whom just make noise behind which others hide. In effect the noise is “fire and forget” automated attacks or “rattle the door knob” sequential attacks that try low hanging fruit and quickly move on.

The reason they make so much noise is there is no current way to stop them, all they need is an Internet connection. If they do get in the front door the chances are it’s for “bot-netting” or more recently “Crypto-currency mining” or as in times past to store their information away from them for whatever reason. That is although their reasons change with time in the main they want to use your hardware not “your information” you might have on it. Think of them as opportunist “squatters/vandals” rather than those who might have reason to target the information you have.

The next layer up as it were are those who are starting to target information. These are the people who make the headlines with having stolen XX million user records. Comparatively there are actually very few of them. The reality is they have a limited aspect on the information they are after, and realy do not make much in comparison as few people want to buy even at a very low price what they are selling. However I realy expect that to change with time, such is the nature of evolution (but I’ve been saying it for getting on for two decades so it might not happen any time soon).

Towards the top of the stack of attackers is where you start to find the real problems, those that target information over the long term. It’s where APT starts and where State Level and more recently Law enforcment level attackers are and no doubt where industrial espionage / crime will go given time. Their purpose is to build portfolios of information that can have devistating effect and the victims of their activities may never know why things went bad for them.

Which leaves the top of the stack, where you will find those who don’t get their hands dirty with actuall attacks. They find attack vectors, weaponize them in various ways and sell the weapons at high value to those at the State and Law Enforcment levels that for variois reasons do not have the in house staff to do such work.

The problem for a defender however is that of signal to noise. Minimal precautions will stop most by number of the attacks out there fairly easily and this leads to a false sense of confidence. Because by far the majority by number of attacks are the “noise” of the opportunists with automated low level attacks.

The very hard part is pulling out the real danger signals from those very few at the other end of the spectrum to the noise generators. Such attacks are actually very few and the chances of being on the receiving end has been comparatively low due to the Internet being a target rich environment. Worse the attackers can make their enumerating probes look just like the opportunist “noise”, thus you will see little or nothing untill the actual attack which in of it’s self maybe very minor and not recognisable (the theft of code signing keys for instance means a dangerous exploit gets treated like a security patch etc).

Which means you would not have seen the actual attack only what follows on in the way of internal activity and data exfiltration. Which could be very minimal or not at all. Such as with accessing encrypted communications that can be intercepted at an upstream node beyond any security reach you might have. The attack might go after the keys and send them out by some method or somehow weaken the key exchange protocol so there is nothing but expected traffic.

Thus the chance of your network getting attacked at any given time by those deliberately targeting you is small and the chances of spotting it considerably less. This gives rise to a false sense of successful defence. Thus you look for the equivalent of the “New Yorker’s magic pet rock that stops tiger attacks in central park” and this becomes the magic sauce of best practice.

In a target rich environnent, not being attacked does not mean you have good defences, it probably just means they have not yet got around to you for various reasons. Some of which are “Obscurity” that is they don’t know of you, “low hanging fruit” where there are riper targets than you that are currently easier and “Not your turn yet” that is the attackers are resource limited in some way and thus have not got around to you yet.

As I indicated some of the defence methods are still considered “secret” although they are not and are in many cases just “Common sense from a position of knowledge”. One such area is in Key Managment (KeyMan) militarily it’s been considered that KeyMan is one of the hardest things to get right, not just from the security asspect but the information flow asspect.

We now know that many –if not most– “in band” key exchange protocols can be got at in certain ways. Thus logic dictates the use of “out of band” or “side channel” key exchange protocols. There are a couple of problems with this. The first is that there may be no viable secure side channel available or at the rate required. The second is ensuring that keys are actually properly isolated to prevent leakage. Both are not something you get heard talked about much and even less common is solutions and the limitations of them.

In the past the military and diplomatic services have used both message encryption and link encryption. The assumption many have made is that message encryption is to prevent against insider attacks not against key leakage attacks. The way things used to work was that message encryption was “gapped” from “line encryption” that was also often “gapped” from actual line transmission. As these gappings were an implicit part of the process by carrying paper tapes or print outs few involved actually realised what they actually were. That is mistaking them as administrative actions like filing not a security action of “gapping” at the energy level.

There are all sorts of other KeyMan and Security actions that people see but do not realise what they actually do because they are not looking with the correct perspective because they have not had the appropriate knowledge given to them.

The major problem we face today and for the foreseeable future is that when it comes to “out of band” it nolonger exists outside of old school OpSec. In reality there are no secure electronic side channels available to us against state level attackers and our mathmatics based key exchange protocols subvertable. Thus other methods are required, and exist, but you have to know about them and their strengths and weaknesses, which by far the majority of people don’t…

Peter February 21, 2018 6:23 AM

Re. Maginot. Always thought it was not working as should. However I learned that the Germans never captured a single fort and the last fort surrendered in July 40.
So they worked as planned, and they should have as each fort looked like a complete battleship with humongous supplies.

The French did not finalize the line up to the North Sea in order not to alienate neutral Belgium. That gap was to be protected by English and French divisions. However, faulty planning and tactics of the French army command caused a slow response to the rapid advance of the Germans. And thus led to the surrender.

So this ‘wall’ did what it should do (force the Germans to a flanking attack and buy time for the French army to react), however at a high cost (FFR 3 billion that is roughly EUR 3 billion of today).
But a cause that was not foreseen in the original plan led to the demise of France. Which sounds familiar in our security world…:-)

Me February 21, 2018 2:33 PM

@Peter

Seems a lot like Bruce always says, don’t spend too much money only to force your opponents to change their plans slightly.

vas pup February 21, 2018 3:09 PM

@all
Just recall old joke of Soviet Era:
Man is standing in The Read Square in Moscow and looking at high walls of Kremlin for a long time. Militiaman (aka cop) came closer and asked man: ‘What are you looking at?’ Man: ‘I wonder why those walls are so high’. Cop: ‘In order that idiots do not climb over’. ‘From outside or from inside out?’

Z.Lozinski February 22, 2018 6:57 AM

@Peter,

However I learned that the Germans never captured a single fort and the last fort surrendered in July 40.

Have a look at the history of Fort Eben-Emael. This was a Belgian fort and part of the Belgian border defences, similar in concept to the Maginot Line. Eben-Emael was captured by German glider-landed paratroops in May 1940. The capture of Eben-Emael allowed the outflanking of the Maginot line.

In our modern terminology, we could say that the German attack used two 0-day exploits. (Previously unknown techniques or attacks). Aerial assault delivered the attackers to the top of the fort – the fort was designed on the assumption you would see the attackers coming and be able to engage. Shaped charges were able to penetrate the top of the fortification, which was designed to withstand normal artillery. The asymmetry is also interesting: 78 attackers, 600+ defenders.

Interesting when thinking about balance of equities in a modern context: a nation state is prepared to spend 2 (of say 10 or 20 previously unknown stratagems) on a major military operation.

Z.Lozinski February 22, 2018 7:46 AM

@Clive

Yep, to pretty much everything.

I think firewalls became popular around the same time as web-sites (or internet facing applications) and the 3 tier architecture used to deliver them. Before that you had dedicated connections (SNA where you knew the endpoint, not IP) and strict access controls. With the growth of the web, and scale-out platforms, you had tens or hundreds of machines to secure. Much less effort to build a DMZ/firewall instead of individually securing every machine.

The point that people don’t understand the threat environment is a good one. Most people don’t think about APTs and state-level actors – perhaps reasoning they are not the target. Even in tech people have short term memories, and some of the techniques in APTs sound like science fiction (even though they are not). Of course the real problem is the trickle-down effect, where once APTs are exposed, they are adopted first by criminals and later by script-kiddies.

Key Management. This is hard to get right, because it embeds technical requirements into processes that people have to use, and people want to make their lives easier so they take short cuts with the processes, which then defeat the underlying requirements (which are often not explicitly stated). When you start introducing key hierarchies, with key-encrypting-keys and master-keys etc you are way beyond most people’s experience and intuition. If you look at the implementation of DES on the mainframe, much of the effort went into the key management system (ICSF). The major banks (and military) have people who are familiar with key management, but beyond that its a rare skill.

How do you fix this though, better education?

dAn February 22, 2018 9:19 AM

Pertaining only to the formation of the author’s discussion, the analogies are too varied. Walls, fences, and similar structures are established for many different reasons. The article should only draw upon examples directly similar to the environment being studied.

echo February 22, 2018 10:06 AM

@Z.Lozinski

Thanks. I just watched a Youtube on the assault on Fort Eben-Emael. It was very interesting.

One funny thing is the American invention of the hollow charge used by the Germans might be said to be the beginning of WWII, and the German invention of the atom bomb used by the Americans the end of WWII.

Clive Robinson February 22, 2018 4:03 PM

@ Z.Lozinsky,

How do you fix this though, better education?

At the end of the day, everything we do we learnt one way or another so the answer is “yes”.

Which then devolves to what method.

We know some people learn bt tactile behaviour, some by reading, some by visualizing and a rare few by seeing graphs of equations in their heads.

With all but those who learn by tactile behaviour, the old “Learn by rote” gets the fundementals of a subject across but without any comprehension. In essence we learn to drive by repetative tactile behaviour, the rules of the road signage etc are learned by rote, as comprehension of their existance is not required only obeyance. It’s not just cars but phones and even computers that most people learn to use by a mixture of tactile and rote. After all who realy needs to know why we all press 9 for an outside line or 0 for a non local exchange.

But for anything above that we need to understand things, not just comprehension but ability to manipulate as required for a desirable outcome from many. The usual teaching method for this is the “view from afar” to the “20,000ft view” with worked examples and so on drilling down. As they say in physics, “Each lie replaces the one before a little more accurately”.

Eventually you get to levels where even a Master of Science degree is insufficient, you have to be able to independently research at well past Doctorate level but thankfully not having to write up as much 😉

The real question is can those that have to go all the way, make the path easier for those behind. There have been times when it would have been easy to squiggle a few equations here and say, that’s what you need to know… But in honesty how many would gain from it?…

Thus you have to take the slaughter house view, you drag in the creature and turn it into meal size chunks on white plastic trays with cooking instructions on the label. People miss one heck of a lot that could realy enrich their lives but they get to survive another day.

Z.Lozinski February 22, 2018 5:44 PM

@Clive,

The real question is can those that have to go all the way, make the path easier for those behind.

Thank-you. You’ve just described a change in technology that I have observed over my career, but not put into words.

When I was starting out, there were teachers, and even journalists, who provided not just the basic facts, but some of the reasons why and some of the lessons learned. This was true for computing, electronics and optics. In the UK magazines like “Practical Electronics” and “Wireless World” had lots of very good articles. You could find books on computer design by people who had actually done it. If you were lucky you would even be taught by them.

Somewhere along the way, the information that was easily available changed to what and stopped being about the why. I first noticed this when I started working in telecoms: I had my Blue Book, but I could not find anything that explained the whys and wherefores of SS7. Equally, the rise of PCs gave rise to cookbooks, with magic incantations for tasks like NT system administration.

The problem with security is that it is a discipline where you need people who understand the big picture and are also comfortable with implementation details. The interesting vulnerabilities are either in the concepts (e.g. the SS7 assumption that everyone connected to the MTP network is a national administration and so can be trusted, which was probably valid in 1980) or come from the implementation details.

vas pup February 26, 2018 10:44 AM

@all – borders related technology case:

Supreme Court considers Microsoft overseas data row
http://www.bbc.com/news/technology-43196499
Microsoft disputed this interpretation, saying a warrant issued in the US could not be used to recover information outside the country.

It said the US government should use treaties signed with other nations to access data held on foreign soil.[I agree absolutely by reciprocity. Same should be primary tool for other related cases including extradiction of criminals by reciprocity]. ]

It also said that customers were likely to stop using its and other US tech companies’ services if they thought the US government could access information about them no matter where they were.
Apple, Amazon, HP, eBay, AT&T, Verizon and Salesforce are among US companies that have voiced support for Microsoft’s stance.

David February 28, 2018 1:16 PM

JYA (Cryptome) and his partner gave a great talk on medieval architecture noting how tall, skinny buildings allowed for active defense against invaders. Only to be defeated by one they had not anticipated: Yersinia pestis

I think there’s a lesson for all of us in that.

D. Bronder February 28, 2018 2:58 PM

With no consideration, no pity, no shame,
they have built walls around me, thick and high.
And now I sit here feeling hopeless.
I can’t think of anything else: this fate gnaws my mind—
because I had so much to do outside.
When they were building the walls, how could I not have noticed!
But I never heard the builders, not a sound.
Imperceptibly they have closed me off from the outside world.

–Cavafy “Walls”

In the original Greek:

Χωρίς περίσκεψιν, χωρίς λύπην, χωρίς αιδώ
μεγάλα κ’ υψηλά τριγύρω μου έκτισαν τείχη.

Και κάθομαι και απελπίζομαι τώρα εδώ.
Άλλο δεν σκέπτομαι: τον νουν μου τρώγει αυτή η τύχη·

διότι πράγματα πολλά έξω να κάμω είχον.
A όταν έκτιζαν τα τείχη πώς να μην προσέξω.

Aλλά δεν άκουσα ποτέ κρότον κτιστών ή ήχον.
Aνεπαισθήτως μ’ έκλεισαν από τον κόσμον έξω.

The wall builder does not usually take into account the feelings of the excluded. Nor do they realize that enemies are being made. In network security one is working against hackers and other malicious types, but at the airport one is mostly dealing with people who are not threatening at all. There should be a difference between how those two groups of people are treated. Treating people badly reduces security in the long term.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.