> Should the applications be insecure and rely on a firewall? > (Microsoft advocated this in the 1990s and it has stuck to a large > extent). Or should the network be open and the applications secure? > > I'm strongly with you on this. The applications should take care of > any security that is necessary *for that application*.
In other words, we should abandon door locks and make certain that anything you don't want stolen is individually secured --because only the device manufacturer could ever know how valuable it is, and how best to prevent it being stolen? In your own words: > No. No. No. Security is layered in the physical world, and it should be layered in the network, as well. That I argue for a default "domain based" posture, where all machines within a given "domain" are all fully reachable, but those outside the "domain" are not reachable unless specific actions are taken to make them reachable, doesn't mean I don't think individual computers need security at all, or that all security should rely on the firewall. "All security must be on the firewall or in the applications" is a false dichotomy. > Security is not a layer-2 function. Security is an application > function. You had it right the first time. Key exchanges and > certificates are not layer-2 functions. Security is an application function, yes. Security is also a network function, and security is a machine level function. All of these have a role to play in security. :-) Russ > > It is entirely possible that the same computer has pictures of Grandma > that I'm OK with you seeing and has a printer hanging off it that I > don't want anyone in the world to be able to print on. Same MAC > address. So that can't be a layer-2 function. > > And port filtering at a firewall is a lame excuse for security. The > bug in relying on a firewall in an enterprise (a little less so for a > home) is that once any one user downloads malware, that malware has > access to everthing behind the firewall largely because of the > assumption that security is not needed because there is a firewall. > > Lets not enshine the dumbest practices of the IT world. > >> I think homenet should focus on L3. (and be clear on what it expects >> from the other layers with regards to security). >> >> cheers, >> Ole > > Curtis > _______________________________________________ > homenet mailing list > homenet@ietf.org > https://www.ietf.org/mailman/listinfo/homenet _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet