ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Port numbers and IPv6 (was: I-D ACTION:draft-klensin-iana-reg-policy-00.txt)

2005-07-18 09:50:52
from [Hallam-Baker, Phillip] [Permanent Link] 



warning... implementing control by denying information (such 
as not telling 
the bad guy which port the secured-by-obscurity process is 
ACTUALLY running 
on) is not terribly good security. It is certainly reasonable 
control over 
people who want to be controlled ("management"), but not very 
good control 
over people who do not want to be controlled ("security").


The same is true of using port numbers to identify protocols. 

People have already figured out that the only protocols that can be
deployed in practice are the ones that run over port 80 using HTTP, the
firewall bypass protocol.


Of course, if all protocols (and their implementations) were 
sufficiently 
secure themselves, firewalls wouldn't be needed, and the Net would be 
simpler than it is. But wishing won't make it so....


Nothing will give you absolute security. But there are solutions that
will help the process of security management.

Firewalls are a triage device, they block a large proportion of attacks
at the front door. This frees up the security managers to focus on the
most serious threats. But no, firewalls without management don't provide
much security.

If every single protocol developed by the IETF were to be deployed
tommorow it would not have more than a marginal effect on Internet
crime. Nor is this suprising, the types of fraud being performed by
professional Internet criminals were not anticipated twenty years ago.

The only thing that is suprising is that there are still people who
think that the end-to-end security theory is the only acceptable
security approach. This despite the continued failure to deploy systems
designed on that principle or get them used.

Clearly we need a different security approach than hoping that someday
everything can be done at the application ends. 

I think that it is better to look at the way security professionals
secure networks in practice and follow their lead rather than continue
to promote an unproven academic theory.


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • RE: Port numbers and IPv6 (was: I-D ACTION:draft-klensin-iana-reg-policy-00.txt), Hallam-Baker, Phillip <=
Previous by Date:  Re: Meeting Locations, Ray Pelletier
Next by Date:  Re: Need for an open access IPv6 working group at the IETF, Francois Menard
Previous by Thread:  A reference too wonderful not to share - "S4", Harald Tveit Alvestrand
Next by Thread:  RE: Port numbers and IPv6(was: I-D ACTION:draft-klensin-iana-reg-policy-00.txt), Hallam-Baker, Phillip
Indexes:  [Date] [Thread] [Top] [All Lists]