Today cooperation of good guys against the brotherhood of hackers is fragmented rather than a principle. Too often companies and other entities are reluctant (for good reasons) to share security related information. Prevailing principle is: what is inside my walls is my business, the rest of the Internet including my customers, does not concern me. Plus everyone handles security patching themselves, or leaves it until later. No surprise that most security breaches take place using known vulnerabilties for which patches exist. The hackers can keep on using the same resources agaist many potential victims.
To change the picture, in www.re2ee.org we are proposing a solution made of several components
- cooperative firewalling (customer edge switching)
- realm gateway for interoperation with the legacy Internet
- ubiquitous policy based admission of all flows
- homomorphic trust processing in trust domains (correponds to gossipping behind the back of people in society)
Here communications security policy = desciption of what a host expects. Policy creation should be as automatic as we can make it.
The approach has numerous benefits like: no unwanted traffic is sent over the air to wireless hosts, NAT traversal is dynamic (ICE is only a fall back option) leads to fast and easy session setup, all security logic is at the edge leading to better scalability, better use of private addressing improving overall network scaling, limiting the actions it makes sense for hackers to program into exploits, fast traceback of all resources used by attacks, limiting the lifetime of those infected resources, scaling of the firewall itself due to use of SDN principles in the design etc...