Thus spake "James Seng" <jseng@pobox.org.sg> > The question: smart terminal or smart network? > > I believe in smart terminal. Nothing there suggest you should not run > your firewall or any other filtering software on your end-terminal. > > End-machine are vulnerable? Then fixed the end-machine. It isnt rocket > science. Perhaps it _is_ rocket science, since I have yet to see an OS and suite of applications which are capable of meeting modern productivity needs while providing even rudimentary security. Surely if it were simple, someone would be selling it and get rich... Humans are lazy and cheap. It is significantly easier, not to mention more effective, to manage a single firewall accessible by a handful of highly trained security experts than it is to ensure the security of thousands, possibly tens of thousands, of hosts that are managed by users who are neither skilled at nor interested in evaluating and compensating for application security flaws. End to end is good, and dumb networks are good. But at the edge (by that I refer to all non-transit AS's) it's more cost effective to create a strong perimeter and give up on anything inside that perimeter. Perhaps it's not the strongest solution in the end, but the people paying the bill rarely care. Of course, we all know the oft-quoted figure that 80% of electronic crime is committed by insiders. I'm pretty sure this is a direct effect of the above trend, but corporate types seem to feel punishing insiders after the fact is good enough, and prevention only applies to strangers. S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking