> On large sites, sometimes with several accesses to the Internet, you're > probably right. But (correct me if I'm wrong) such large and complex sites > are not the most common case nowadays, are they ? I really don't know, and it would be highly interesting to have better insight into this. Do the bulk of machines come from (a whole lot of) small, administratively homogeneous sites, for which it's reasonable to think that they should be able to get a handle on their site security policies? Or from ISPs? Or from large sites like .edu's? I suspect the scaling works against security whichever way it goes. If it's large sites, it's the problem I've been arguing, that it's fairly intractable to actually get a handle on *and continue to maintain* some sort of coherent policy. If it's small sites, even though in principle the administration is tractable, there will be enough of them that a significant fraction will not, for whatever reason, manage to have any sort of solid/coherent policy. Vern ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 10:36:16 PDT