Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Is internet security better at the network or application layer?

1 view
Skip to first unread message

Matt Bird

unread,
Mar 29, 2000, 3:00:00 AM3/29/00
to
Im new to all this security business and my head hurts from reading all the
information surrounding the topic. What I need to know is in terms of the
Internet, does network layer security or application security offer the best
security and why.

Can anyone help me and save me from going insane!

Many thanks

Matt


Barry Margolin

unread,
Mar 29, 2000, 3:00:00 AM3/29/00
to
In article <8bt0m7$ffa$1...@newsg4.svr.pol.co.uk>,

There's no single answer. Some things are best done at the network layer,
while others are best done at the application layer. Other distinctions
that can be made are protection at the border (e.g. by a firewall) versus
at the end host (e.g. with TCP Wrappers).

--
Barry Margolin, bar...@bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

Michael Sierchio

unread,
Mar 29, 2000, 3:00:00 AM3/29/00
to
Barry Margolin wrote:

> There's no single answer. Some things are best done at the network layer,
> while others are best done at the application layer. Other distinctions
> that can be made are protection at the border (e.g. by a firewall) versus
> at the end host (e.g. with TCP Wrappers).

The problem with security (Barry knows this) is that it is relatively
ill-defined. What risks do we hope to mitigate? An application running
on a host may not wish to trust the host's IPSec, and may want something
like SSL. Remote IP users who want secure access might want SKIP, which
encrypts at the IP layer. Stateful packet filtering firewalls are useful,
and so are application proxies. Define the requirements, and we can
develop a convicing story ;-)

mel...@myweb.com.my

unread,
Mar 30, 2000, 3:00:00 AM3/30/00
to

> Im new to all this security business and my head hurts from reading
all the
> information surrounding the topic. What I need to know is in terms of
the
> Internet, does network layer security or application security offer
the best
> security and why.
>
> Can anyone help me and save me from going insane!

I think the best way to start is having a clearly defined security
policy for your company/institution - this will have things like what
you want to achieve (do we allow telnet from outside of our network?,
who should administer our database?), things like that.
And from there, see how each implementation behaves in respect to
security.

--mel


Sent via Deja.com http://www.deja.com/
Before you buy.

Matt Bird

unread,
Mar 30, 2000, 3:00:00 AM3/30/00
to
Hi,

Thanks for the replies. Im trying to get some research for an assignment
im doing at university.

What I have been reading are some papers on IPsec, saying how woderfull it
is and how it offers security.

I then read that security shouldn't be at the network layer because:
-- the application layer is better as it makes it easier to define the trust
boundaries between trusting agents

and

--it is not clear if encryption rates will always be sufficiently fast to
compete with data throughputs of future high speed networks... though this
one was written in September 98 and I have no idea how far network
technology has advanced in the last year and a half and if this is a
problem now.

One last thing. Do you have any words of widom about SSL

Many thanks.

Matt Bird


Wally Whacker

unread,
Mar 30, 2000, 3:00:00 AM3/30/00
to
"Matt Bird" <mat...@numnum.freeserve.co.uk> writes:

> Im new to all this security business and my head hurts from reading all the
> information surrounding the topic. What I need to know is in terms of the
> Internet, does network layer security or application security offer the best
> security and why.
>
> Can anyone help me and save me from going insane!
>

> Many thanks
>
> Matt
>

Well you better buy a lot of advil and get a good psychiatrist because
it isn't going to get any easier in the near future.

Your specific question is answered with, protect the network with
network security. Protect the application with application security.

i.e. If you don't want people snooping around your network, protect it
with network security like a firewall. If you are letting people use
an application with any security consequences, use application level
security.

For example, if you are letting letting people into your network to
reach your web server, the network security has already been bypassed
(on purpose). You need to make sure the application is sound.

It might ease your headache to imagine your network as a castle. (This
is a quaint analogy so don't give me a hard time). The drawbridge and
sentries are the firewall that controls access to the network (network
level). The guards who roam the streets keeping the avenues of
communication open are like an intrusion detection system
(network). The royal treasure can be accessed by those allowed to, but
that access is limited and watched carefully (application level
security and logging).

Hackers are like enemy spies who sneak in undetected and Trojan Horse
programs are analogous to, uh, well, I guess there the analogy falls
apart and becomes virtually identity.

http://hackerwhacker.com is like a security guard making the rounds
and checking to make sure no doors have been left open accidentally.

Wally

--
Strangers in your computer? Don't be the last one to find out.
HTTP://HACKERWHACKER.COM
Security Link of the Hour:
http://www.securitysearch.net http://hack-net.com

0 new messages