ietf
[Top] [All Lists]

Re: myth of the great transition (was US Defense Department forma lly adopts IPv6)

2003-06-19 21:45:32
Thus spake "James Seng" <jseng(_at_)pobox(_dot_)org(_dot_)sg>
The question: smart terminal or smart network?

I believe in smart terminal. Nothing there suggest you should not run
your firewall or any other filtering software on your end-terminal.

End-machine are vulnerable? Then fixed the end-machine. It isnt rocket
science.

Perhaps it _is_ rocket science, since I have yet to see an OS and suite of
applications which are capable of meeting modern productivity needs while
providing even rudimentary security.  Surely if it were simple, someone
would be selling it and get rich...

Humans are lazy and cheap.  It is significantly easier, not to mention more
effective, to manage a single firewall accessible by a handful of highly
trained security experts than it is to ensure the security of thousands,
possibly tens of thousands, of hosts that are managed by users who are
neither skilled at nor interested in evaluating and compensating for
application security flaws.

End to end is good, and dumb networks are good.  But at the edge (by that I
refer to all non-transit AS's) it's more cost effective to create a strong
perimeter and give up on anything inside that perimeter.  Perhaps it's not
the strongest solution in the end, but the people paying the bill rarely
care.

Of course, we all know the oft-quoted figure that 80% of electronic crime is
committed by insiders.  I'm pretty sure this is a direct effect of the above
trend, but corporate types seem to feel punishing insiders after the fact is
good enough, and prevention only applies to strangers.

S

Stephen Sprunk         "God does not play dice."  --Albert Einstein
CCIE #3723         "God is an inveterate gambler, and He throws the
K5SSS        dice at every possible opportunity." --Stephen Hawking




<Prev in Thread] Current Thread [Next in Thread>