Face it folks. Provisioning security services at network perimeters is just wishful thinking, and this is not a new insight.
Traditional packet filtering firewalls are absolutely necessary (do you walk around your neighborhood naked?) but they must become much more widely distributed *inside* large networks in order to be effective. The same applies to application filtering technologies (some of which are very promising) and all the other stuff people think of as perimeter defenses.
Any attempt to set up large networks as controlled domains with known security characteristics is a losing battle. The world needs to go to endpoint-driven security. A lot of companies are working on making this manageable and cost-effective. And while we're at it, that's also the place to incorporate highly granular access-control services.
As long as you have machines on your network that can hit external web sites or have floppy drives or unauthorized wireless access points, your internal network *is* the internet.
Slashdot Mirror
Face it folks. Provisioning security services at network perimeters is just wishful thinking, and this is not a new insight. Traditional packet filtering firewalls are absolutely necessary (do you walk around your neighborhood naked?) but they must become much more widely distributed *inside* large networks in order to be effective. The same applies to application filtering technologies (some of which are very promising) and all the other stuff people think of as perimeter defenses. Any attempt to set up large networks as controlled domains with known security characteristics is a losing battle. The world needs to go to endpoint-driven security. A lot of companies are working on making this manageable and cost-effective. And while we're at it, that's also the place to incorporate highly granular access-control services. As long as you have machines on your network that can hit external web sites or have floppy drives or unauthorized wireless access points, your internal network *is* the internet.