Re: Access Control, Authentication, and Perimeter Security

[Paul McNabb <mcnabb () argus-systems com>]

>  >Are there circumstances where access control and authentication should take
>  >precedence over perimeter defenses?
>  
>  Yes, when you are putting together an e-brochure to promote an eSeminar on
>  eSecurity, and you don't realize -- as you point out -- that authentication
>  and access control are part of perimeter security.  I think this happens when
>  e-Marketers get too carried away with e-Hype without the right e-xpertise.
>  Maybe they just aren't e-lite....

Of course it depends on how you define "perimeter defenses", but most people
talk about perimeter defense as those mechanisms that separate the "inside
computers" from the "outside computers" as opposed to those mechanisms that
sit on and protect a single server.  Usually firewalls and IDS are considered
perimeter defenses (and yes, there can be an authentication component to a
FW).  Server-based security, such as auditing, trusted OSes, application
level encryption, system hardening, and application identification and
authentication are usually considered non-perimeter defenses.

I don't know what the eWeek seminar is about, but if they are looking at
a lot of technologies it certainly would be appropriate to make a distinction
between the perimeter defenses and the server/application-based access control
and authentication components.

Not to claim that there isn't a lot of e-Hype out there...

paul

---------------------------------------------------------
Paul A. McNabb, CISSP           Argus Systems Group, Inc.
Senior Vice President and CTO   1809 Woodfield Drive
mcnabb () argus-systems com        Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433                "Securing the Future"
---------------------------------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards