At the suggestion of another member, I'd like to take up the reins of a new thread to discuss the ideas of information security without boundaries, or perimeterless security as she put it. Wireless networking will certainly play a big role in this, but I think it goes beyond the subject of Wifi and unprotected access points.

This is actually a subject I read about briefly long ago in a magazine article, and it's a concept I've been percolating for some time. With standards like 802.1x becoming reasonably priced and usable (to a limited extent) with modern technology, we can achieve a fair degree of logical security. But networking and security have always been based on a physical model.

Implicit trust has always been an achilles heel; look at the rsh family of applications. Authentication (and subsequently identity management, but that's probably another discussion) is a key part of this issue, and is often considered a silver bullet for security solutions by the uninformed.

Let's break it down with the triple A system:
Authentication
- Are all resources (not *just* the users) what they really appear to be, or claim they are?
Authorization
- Are you able to access *only* resources you have been granted permissions to? Are others denied that should not be, or exposed when they should be concealed?
Audit - also known as - Accounting or Accountability
- Are all activities documented and logged, in a protected fashion to avoid tampering?

Ok, I've started the conversation. Let's carry it forward. Consider Xierox' original dilemma. How do these three points apply, and why or why not?

C'mon, I love the sound of my own voice..., er...typing, but this isn't a tutorial (or it would be in that forum.) Sound off.