The bad guys would probably be able to get around these security restriction but wouldn't filtering out unsecured sites, browsers and email clients greatly reduce the spread of virus and worms?

Most network engineers prefer the Internet to be transparent - that is, don't secure the network, secure the host. Many believe that this is the problem with the Internet today. But that principle is what has allowed the number of devices on the Internet to grow at such a staggering rate.

If your car is overheating, or the brakes are failing, should it be the responsibility of a red-light or stop sign to tell you that? People need to be responsible for their computers. If that means keeping it up to date and having it checked out once every six months by a professional, so be it. If that means not running insecure software, so be it.

bakedjake,
I cannot compel you to think as I think. But I can stop talking with you if I desire. For me that is exercising my domain (me) maturely by controlling what is within my control.

I can lock my door to keep you out, delete your email unopened and screen your phone calls. No that I ever would, of course, I am just making an example.

Just as I can manage how I comminicate at a personal level, would it not make sense to extend that type of control to the technology I interact with. If I can spam filter and virus filter why should I not filter out technologically dangerous sites, web pages and emails?

Why not have a red light tell me if my car is overheating? If my home heating system was overheating why not have the system shut down rather than burn my house down?

bakedjake says:
"Most network engineers prefer the Internet to be transparent - that is, don't secure the network, secure the host."

Most people thought the earth was flat at one time so I am not overwhelmed with in-the-box thinking.

Just reading the following piece yesterday, Cyril... Adam Curry is experimenting with rss feeds and readers to make an alternate delivery system. I'll let them work through the beta, but it appears that a lot of the pieces have already fallen into place.

Email is Dead, Long Live Email! [blognewsnetwork.com]

cyril,

First, let me say how much I enjoy discussions like these. Thanks for the thread. :)

I can lock my door to keep you out, delete your email unopened and screen your phone calls. No that I ever would, of course, I am just making an example.

This falls into a host decision, IMHO. I do have people in my killfile who's email automagically evaporates into thin air upon receipt by my mail server. This is a personal decision you make, and I have no issues with this. I'm agreeing with you here.

If I can spam filter and virus filter why should I not filter out technologically dangerous sites, web pages and emails?

You can. Again, this is a host decision, not a network decision. I agree with you here.

Why not have a red light tell me if my car is overheating?

[Note: By red-light, I meant a traffic signal.]

Ah, here's where I disagree. You're asking the network to do the host's job. It's not the traffic signal's function to tell you if your car has faulty breaks - it's the responsibility of the car (or the owner, or the mechanic) to do that. The sole purpose of the traffic light is to route traffic.

To further amplify, let's take your idea out a bit. Suppose ISPs refused access to people who didn't have their computers patched. Let's say if an ISP detected that your machine was vulnerable, they wouldn't let traffic to/from the internet pass through to your machine. What would happen? The Internet would break in half. Providers would start making arbitrary decisions based on security. Many ISPs would refuse to connect you directly (with a routable IP address) to the Internet for "security reasons". It would become a feature, not a bug. "No more viruses or spam! We'll clean things for you before they even reach your computer!".

Sound familiar? Of course it does. It already happens with the largest ISP in North America (among many other ISPs), and with many corporate enviornments. Protocols ARE breaking.

Many of my former colleagues (I used to be in the WAN business) think that firewalls and NAT will be the end of the Internet as we know it. Firewalls started out as a way to keep the "bad guys" out. But why do we need to keep the bad guys out if our hosts are secured? Now we have stateful firewalls that can sniff out bad packets. Some stateful firewalls have progressed to the point where they can detect, intercept, and destroy virulent email before it even hits the mail server, because we found that some email servers can't handle the load produced by virulent emails. Or aren't properly defended themselves from attack. So we've moved the detection and elimination out one more step - to the edge of the network.

AFAIK, there are no core networks running any sort of filtering or detection on traffic transiting their network. Many have argued that all the core networks need to do is block 135-139, and all of these virus problems will go away. Core network providers will do everything in their power to keep the network transparent, as they should. If they didn't, things would break. Seven years ago, blocking any ports at the core would be unheard of. Now, it's been done, but only for emergencies (such as slammer). In 5 years, will core networks routinely block ports arbitrarily in the name of security, with no thought to the people using those ports legitamtely?

The anti-spam people argued that port 25 outgoing to the network should be blocked almost 7 years ago. Many providers have since done this. And the problem has become worse, not better. In fact, the only remotely effective spam solution to this day has been software installed by the hosts on the Internet, tailored to their individual enviornment - in effect, securing the host. The blocking of port 25 solution - securing the network - has failed.

If you secured all the hosts on the Internet, there would be no vulnerabilities. If you secured all the networks from all of the hosts, there would be no Internet.

More on using rss for 'choosing who'

With E-mail Dying, RSS Offers Alternative: Publishers Must Find New Delivery Methods [editorandpublisher.com]