Distributed/End-Point Firewall Control (DEFCon) Requirements
draft-sahita-defcon-reqs-00
Document | Type |
Expired Internet-Draft
(individual)
Expired & archived
|
|
---|---|---|---|
Authors | Ravi Sahita , Priya Govindarajan | ||
Last updated | 2003-02-24 | ||
RFC stream | (None) | ||
Intended RFC status | (None) | ||
Formats | |||
Stream | Stream state | (No stream defined) | |
Consensus boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | Expired | |
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
This document describes the requirements for the architecture and a distributed framework for end-point firewall control (DEFCon). This draft also discusses requirements for the individual pieces in the framework. Perimeter firewalls are predominant in enterprise networks but do not provide the protection a mission critical network needs against misuse or abuse from nodes inside the network. Additionally, A wireless infrastructure makes every host vulnerable since in that case access is not fundamentally restricted by infrastructure. Likewise, traffic is increasingly being encrypted end-to-end using SSL, IPSec, etc. where viruses/worms/confidential information can also be hidden from the security components. This requires the perimeter firewall to become a man-in-the-middle for all secure sessions, which breaks the end-to-end principle and thus renders many protocols useless since they are inevitably blocked. A host-based firewall on nodes in the enterprise network protects the network from inside out. This approach does not preclude perimeter firewalls. Instead, it provides defense-in-depth and reduces the load on perimeter firewalls. The host-based approach also upholds the end-to-end theme since it allows traffic to be securely encrypted end-to-end and yet assures safety from infection, compromise and attack.
Authors
Ravi Sahita
Priya Govindarajan
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)