> >>> Keith Moore wrote: > >>> I believe the primary purpose of firewalls should be to > >>> protect the network, not the hosts, from abusive or > >>> unauthorized usage. > > >> Michel Py wrote: > >> I do not agree with this. The primary purpose of firewalls is > >> to protect BOTH the network and the hosts. > > > the reason I disagree is that fundamentally, there's no way > > that a firewall can reliably distinguish legitimate traffic > > from illegitimate traffic, > > This is flat out untrue. Below are a few examples of illegitimate > traffic that my firewall trashed recently. read what I wrote again. yes it can catch some things that are illegitimate. it cannot reliably catch all things that are illegitimate without also blocking legitimate traffic. > > what it cannot do is remove the burden from hosts and > > applications to implement reliable security. > > This is unexpected coming from you. Look again at the last example I > pasted. Do _you_ suggest that I should trust _that_ vendor to implement > reliable security? I believe you should buy or write applications that ensure their own security and protect the security of the machines on which they are hosted. I believe you should buy computing platforms that provide facilities to isolate applications from one another, so that a single compromised application doesn't compromise your entire platform. I didn't say you should trust others' applications to not try to attack your system. > >>> an intermediary MUST NOT alter the source or destination > >>> field in an IP header. > > >> There is nothing wrong with this if another intermediary puts it > >> back the way it was originally, preserving end-to-end traffic. > > > if you're talking about RSIP, I don't think that's true, because > > IIRC it still requires hosts and apps to be aware of addressing > > realms. > > I was talking about MHAP which is transparent to hosts and apps. I'm not familiar with that acronym. pointer to a spec? Keith