Re: encapsulated protocols?

["Marcus J. Ranum" <mjr () nfr net>]

Itai Dor-on writes:
> It is not practical, under the current implementation for any vendor to
> support all known Internet service that are Home made.
>
> Thus, Security handling should rely on the specific software vendor
>
> Any vendor writing applications that are Internet aware should take
> security exploits in his product under consideration. and support  it.

Itai's hit the real issue. Applications that have any kind
of security relevance should be self-secured. They should be
developed so that they can withstand attack on their own.
I'm not sure what it's going to take to get vendors of s/w to
recognize this (presumably a cattle prod or a lot of money)
and get with the program. When/if(?) the development tools exist
to make it easier to create secured connections maybe then
developers will stop just using the default.

I believe it is essential that applications become self-secured.
It's the only way to handle scaleability correctly. With a firewall,
if the firewall is responsible for analysis of every app going through
it, you're always going to be on the bad end of performance. If the
applications are OK, then the firewall can basically be replaced
with a simpler gateway that only handles open protocols (e.g.: SMTP)
that are known problems and are "public" data. You can scale your
performance very cleanly if the systems at your boundary are only
doing broad-brush security and network level control -- leave the
complex stuff to the host software on the user's desktop where
it belongs.

Of course, it'll probably never happen. :( My secret plan for
securing the Internet had one big fatal flaw: you start by
scrapping the complete set of applications that we're running
and starting over from scratch. First you design a new socket
API with options for application level switching, authentication,
encryption negotiation, redirection(under authentication) and
reconnection(while you're at it!). Then you scrap TELNET, SMTP,
FTP, NNTP, HTTP, and all that crap and rewrite them to use some
sane underpinnings. And you expose the implementation of those
underpinnings to everyone to hammer on until they look rock
solid. The final phase is when we convince the backbone
interconnects to put filters in place to block the remaining
SMTP, FTP, TELNET, and HTTP traffic. :) Bwaahaaahaaaaaaaa!!!!
We *COULD* make huge improvements to the Internet, security-wise
but they cannot be incremental or backwards compatible. With the
amount of money people are spending on half-assed solutions
(firewalls, IDS', VPNs, authentication tokens, etc) we could
easily have just fixed things, if we'd been willing to put
aside vendor self-interest and take the whole thing offline
for about a year. :)  Ok, I'm insane, but if I was King of the
Internet, that's what I'd do. :) We need to convince Ted Turner
to give a billion dollars to the Internet-2 project. Or maybe
Bill Gates. :)

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr