When I was much younger, a friends dad was the local OPP constable. The area I grew up in houses were many km apart. There’s a photo to the right, somehow through the magic of 110-camera stuck winding, a double exposure showing both out the front and back of our house at the same time! (I don’t have a lot of photos from when I was young, and none of them are particularly ansel adams-quality). As a consequence of distance, everything involved driving.
There came a time when it was high school graduation for my friends older brother, and I was surprised that his dad (the cop) (and a few other parents) were hosting an after party at their farm where they would supply alcohol. The rationale was “Those kids are going to drink anyway, it may as well happen where they won’t drive afterwards and with some outer-boundaries of safety”.
Now, I wonder if this pragmatic approach “bad things will happen, rather than try and prevent them, attract and contain” could apply to network security (oh you thought this would be about Radon again? sorry!)
You see, there are some hugely risky behaviours out there today. One of them is the use of containers and their upstream repo’s without much thought. For example, Docker, its common to use things from the Docker Hub without giving them a thought. But are they up to date? Are they free of purposeful malware? This paper says no. So ultimately you are relying on the (thin) walls of the container to prevent the badness from leaking out. And, in a world of Spectre, this could be not as great as you think.
However, thin walls of a container do nothing for networking, and that container you did a pull on, “docker pull evil”, can wander around your network, east<->west, attacking and surveilling your other virtual machines and containers. And this is because outbound firewalls are rare to configure, and inbound are 1-tuple port-only. Hmm.
So I wonder if we can take a page from a rural cop’s book and find some way to, instead of entreating people to be more careful with these powerful technologies and try to be perfect, simply accept that bad things will happen, and, create a strong sandbox for the slices or zones.