Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!bloom-beacon!bu-cs!kwe From: kwe@bu-cs.BU.EDU (kwe@bu-it.bu.edu (Kent W. England)) Newsgroups: comp.protocols.tcp-ip Subject: Re: Re: IP based authentication of hosts Summary: You have to start somewhere Message-ID: <29624@bu-cs.BU.EDU> Date: 14 Apr 89 21:07:49 GMT References: <376@ists.ists.ca> <29416@bu-cs.BU.EDU> <29455@bu-cs.BU.EDU> <10526@bloom-beacon.MIT.EDU> <29475@bu-cs.BU.EDU> <709@scaup.cl.cam.ac.uk> Reply-To: kwe@buit13.bu.edu (Kent England) Followup-To: comp.protocols.tcp-ip Organization: Boston U. Information Technology Lines: 27 In article <709@scaup.cl.cam.ac.uk> scc@cl.cam.ac.uk (Stephen Crawley) writes: > >I put it to you that your ``modest degree of security'' is actually >no security worth speaking of. > With no flame intended (since you are so polite in your response): I put it to you that this objection that "security" without total "security" is no security is a way to do nothing, when something needs to be done. I must start somewhere and I don't intend to be put off by this kind of argument. I should say that one of the things we don't mention often enough is that any discussion of security needs to talk specifically about the threat that is being countered. I am as guilty as anyone in not explicitly defining the threats I think need to be countered. No one knows exactly what threat they are faced with. Perhaps they have an idea, when presented with a threat scenario, whether they think they must counter it. While I don't know exactly what threats I am faced with, I know that applying reasonable measures will result in a winnowing of the threat "pool". Doing nothing results in nothing being done. Of course, doing something does not guarantee that anything useful has been accomplished and for that reason I appreciate everyone's comments, recommendations, and pointers. Thanks.