warning... implementing control by denying information (such
as not telling
the bad guy which port the secured-by-obscurity process is
ACTUALLY running
on) is not terribly good security. It is certainly reasonable
control over
people who want to be controlled ("management"), but not very
good control
over people who do not want to be controlled ("security").
The same is true of using port numbers to identify protocols.
People have already figured out that the only protocols that can be
deployed in practice are the ones that run over port 80 using HTTP, the
firewall bypass protocol.
Of course, if all protocols (and their implementations) were
sufficiently
secure themselves, firewalls wouldn't be needed, and the Net would be
simpler than it is. But wishing won't make it so....
Nothing will give you absolute security. But there are solutions that
will help the process of security management.
Firewalls are a triage device, they block a large proportion of attacks
at the front door. This frees up the security managers to focus on the
most serious threats. But no, firewalls without management don't provide
much security.
If every single protocol developed by the IETF were to be deployed
tommorow it would not have more than a marginal effect on Internet
crime. Nor is this suprising, the types of fraud being performed by
professional Internet criminals were not anticipated twenty years ago.
The only thing that is suprising is that there are still people who
think that the end-to-end security theory is the only acceptable
security approach. This despite the continued failure to deploy systems
designed on that principle or get them used.
Clearly we need a different security approach than hoping that someday
everything can be done at the application ends.
I think that it is better to look at the way security professionals
secure networks in practice and follow their lead rather than continue
to promote an unproven academic theory.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf