(caveat emptor: I have an end system^H^H^H^H^H^H^H^H^H^H host bias)
There are several good reasons to have BOTH a border and end system
depth in defense.
From an architectural view, the advantage of edge/border elements is
that they are in a better position to protect against
distributed/correlated attacks. (the downside is how fast do they have
Due to the nature of the "last bug" and its unwillingness to get fixed,
it will be necessary to multiple points of security to avoid single
points of failure - good engineering. Hosts should handle as close to
everything as possible.
Security through obscurity is always laughed at, but one of the big
roles of intermediate firewalls is to provide a blinding function.
Sure, the thief knows I have a wallet somewhere in my house when I am
asleep. The fact that he does not know exactly where it is helps. It
is not an absolute solution, it is just another layer in the onion.(and
there are lots of other reasons for "blinding boxes").
In most enterprises there is separation of management responsibilities.
It is natural to think that the roles and responsibilities of edge vs
host based protection are different. The controller of a company is
responsible for being sure the business is conforming to a set of rules.
The line of business owner is implementing a business, generally aware
and conforming to the rules, but does make mistakes, overt or
inadvertent (one LOB not understanding what another LOB is doing and
potentially breaking an aggregate rule). I agree with the earlier
comments on checks and balances.
(in a just world we would not need a justice system, but I think we
have concluded that a lot of the internet resides in the real world)
From: Tony Hain [mailto:alh-ietf(_at_)tndh(_dot_)net]
Sent: Wednesday, March 20, 2002 8:23 AM
Cc: J. Noel Chiappa; ietf(_at_)ietf(_dot_)org
Subject: RE: Netmeeting - NAT issue
The host may be too stupid to protect itself - read Bugtraq
or other similar
lists for the gory details.
The fact that many hosts are too stupid to protect themselves is not a
reason to architecturally require that the border provide security. The
marketplace may find an opportunity there, but 'the right thing' is to
set the expectation that self defense is the requirement.
In addition, an external border is useful as a
checks-and-balances, for the
same sort of reasons why the person balancing your company's
be the guy writing the checks,
Since I do both, I have a hard time agreeing with this analogy. Also if
you start down this path as justification for a filtering router as a
security device, there needs to be an external auditor in the picture.
Where is that service in the average NAT?
or having Customs inspectors at the border
crossing - what percent of the people on international
the rules about carrying live biologicals (both animal and
any country they may be visiting?
This argument has some level of merit, but has the orientation
backwards. The border guard is not there to protect the traveler who
might be inadvertently (or maliciously) carrying contraband substances
across the border. They are there because it is cheaper to have a few
educated guards than to continually educate the entire internal
population on proper isolation and disposal. Since software doesn't have
the same attention variability over time as humans, or the continual
churn in education level for each generation, there is reason to believe
that eventually self protection could be cheaper than the overhead of a
collection of border guards.
My question was directed at Noel's assertion that security requires a
site border router as the implementation. Just because that may be
cheaper than fixing all the current hosts, wouldn't we be better off in
the long run if all future hosts protected themselves?