Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!bellcore!ka9q.bellcore.com!karn
From: karn@ka9q.bellcore.com (Phil Karn)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: Security services in border GWs (was: Suspicious Secure GW)
Message-ID: <23826@bellcore.bellcore.com>
Date: 2 Jun 90 23:18:10 GMT
References: <25040@usc.edu>
Sender: news@bellcore.bellcore.com
Reply-To: karn@ka9q.bellcore.com (Phil Karn)
Organization: Secular Humanists for No-Code
Lines: 18

In article <25040@usc.edu> tsudik@pollux.usc.edu (Gene Tsudik) writes:
>In summary, end-system controls are inadequate for protecting internal network
>resources. To control access to such resources, border gateways need to
>implement appropriate security mechanisms.

Yes, your conclusion does follow from your premise. The question, though, is
whether this is a real problem. Most private corporate or campus networks
are "stubs" off the main Internet, so what can anyone gain by sending
traffic into such a network without access to a host on that network?
Sabotage of the private network itself is of course a possibility, but this
can be handled by turning on a gateway filter to block the offending
traffic.

I don't oppose filtering gateways per se. I just think they're like police
roadblocks: appropriate during emergencies, but too disruptive for routine
operations.

Phil