On Feb 19, 2007, at 8:06 AM, <michael.dillon bt.com>
<michael.dillonbt.com> wrote:
> And if the system designer is creative enough, then
> this firewall thingy which is reputed to protect you
from bad stuff,
> would also download and install the latest patches to
protect against
> browser exploits. If this is all run on a separate CPU
it can also do
> some pretty in-depth inspection and do things like
block .exe
> attachements in email.
If we had some cheese, we could make a ham-and-cheese
sandwich, if we
had some ham.
;>
This discussion started out with an assertion that that
security
problem for general-purpose OS endpoints had been 'solved'.
It in
fact has not been solved for any reasonable degree of solved
- there
are basic layer-7 problems with the fundamentals such as
HTTP (which
to most users is 'the Internet), and while there are various
efforts
to attempt to mitigate these problems via the insertion of
inspection/
removal by network devices, these efforts are in their
infancy and
also introduce other complexities which are corollaries of
the
canonical end-to-end principle (vs. the common misperception
of what
the end-to-end principle actually encompasses).
------------------------------------------------------------
-----------
Roland Dobbins <rdobbinscisco.com> //
408.527.6376 voice
The telephone demands complete participation.
-- Marshall McLuhan
|
