[Fwd: Security]

[Tom Reddington <treddington@bell-labs.com>]

Security is large and crosses a variety of technologies. This is my
attempt and cutting up the space.

1) Inherent Security is what we do in the design of our products,
protocols, configurations that provide the communications in a secure
fashion. In BGP for example, knowing that I can identify a border router
in the Internet that is running BGP and knowing that I can identify all
the routers an organization has deployed as gateways to the Internet
means that I can potentially disrupt every router that an organization
has and cause route flapping. Providers will shut down a connection that
is route flapping. End result, the organization is off the net for a
fairly long period of time. Similarly, DOS attacks by requesting
services at a rate that exceeds what the network element can keep up
with denies others from those services.


2) Embedded security are those function we put into our communication
products that help secure access to the product. AAA, biometrics, SSH,
MD5 on routing protocols, etc. These features are not a a primary
function (communications) of the product.

3) Security products are those products whose primary function is
security and not communications. Their purpose is as point solutions to
provide a secure interface to a communications system such as firewalls
or to provide support for embedded security such as RADIUS.

4) Finally, Security Services is a customer of the first three. Security
services is those design and configuration paradigms that are used to
build a communications system in a secure fashion, given the state of
inherent security , embedded security and security products.

As all such simple views of the world, it is not clear if this taxonomy
covers everything in a clean manner. AAA is split between embedded
security and security products. VPNs? Embedded and security products?

I see definitions 1, 2, and 4 as being relevant to our discussions.

tom