(caveat emptor: I have an end system^H^H^H^H^H^H^H^H^H^H host bias) There are several good reasons to have BOTH a border and end system depth in defense. >From an architectural view, the advantage of edge/border elements is that they are in a better position to protect against distributed/correlated attacks. (the downside is how fast do they have to run). Due to the nature of the "last bug" and its unwillingness to get fixed, it will be necessary to multiple points of security to avoid single points of failure - good engineering. Hosts should handle as close to everything as possible. Security through obscurity is always laughed at, but one of the big roles of intermediate firewalls is to provide a blinding function. Sure, the thief knows I have a wallet somewhere in my house when I am asleep. The fact that he does not know exactly where it is helps. It is not an absolute solution, it is just another layer in the onion.(and there are lots of other reasons for "blinding boxes"). In most enterprises there is separation of management responsibilities. It is natural to think that the roles and responsibilities of edge vs host based protection are different. The controller of a company is responsible for being sure the business is conforming to a set of rules. The line of business owner is implementing a business, generally aware and conforming to the rules, but does make mistakes, overt or inadvertent (one LOB not understanding what another LOB is doing and potentially breaking an aggregate rule). I agree with the earlier comments on checks and balances. (in a just world we would not need a justice system, but I think we have concluded that a lot of the internet resides in the real world) -----Original Message----- From: Tony Hain [mailto:alh-ietf@tndh.net] Sent: Wednesday, March 20, 2002 8:23 AM To: Valdis.Kletnieks@vt.edu Cc: J. Noel Chiappa; ietf@ietf.org Subject: RE: Netmeeting - NAT issue Valdis.Kletnieks wrote: > The host may be too stupid to protect itself - read Bugtraq > or other similar > lists for the gory details. The fact that many hosts are too stupid to protect themselves is not a reason to architecturally require that the border provide security. The marketplace may find an opportunity there, but 'the right thing' is to set the expectation that self defense is the requirement. > In addition, an external border is useful as a > checks-and-balances, for the > same sort of reasons why the person balancing your company's > books shouldn't > be the guy writing the checks, Since I do both, I have a hard time agreeing with this analogy. Also if you start down this path as justification for a filtering router as a security device, there needs to be an external auditor in the picture. Where is that service in the average NAT? > or having Customs inspectors at the border > crossing - what percent of the people on international > flights understand > the rules about carrying live biologicals (both animal and > vegetable) for > any country they may be visiting? This argument has some level of merit, but has the orientation backwards. The border guard is not there to protect the traveler who might be inadvertently (or maliciously) carrying contraband substances across the border. They are there because it is cheaper to have a few educated guards than to continually educate the entire internal population on proper isolation and disposal. Since software doesn't have the same attention variability over time as humans, or the continual churn in education level for each generation, there is reason to believe that eventually self protection could be cheaper than the overhead of a collection of border guards. My question was directed at Noel's assertion that security requires a site border router as the implementation. Just because that may be cheaper than fixing all the current hosts, wouldn't we be better off in the long run if all future hosts protected themselves? Tony