Damn that's a response. I think it's funny too when Shanahan gets worked up. We could spend a while talking about the quality of punk asses on the Raiders but my passion really lies with Hockey. I am so pissed at the league and players I need a beer stat. Real quick, multiple downed exhanges....

Authentication is not the single point of failure, though it may or may not be the highest risk. I am sure you agree that authenticated users, thus a perimeterless view, are the biggest risk factor. Not violation of the perimeter like traditionaly noted. They have already bypassed the authentication mechanism. The perimeter is breached, what is left? Say they aren't the culprit though, say someone copied your authentication mechanism from the laptop that tricks the perimeter into thinking the user and the machine are authentic. That does not mean they violate the integrity of an authorization mechanism (wish I had a spell checker). It would still be intact and watching. If this is windows only or course, it defeats the concept. But it could be a filter rule, machine "Bob" can never access machine "Jane" or network "monkey boys" and once it does happen, authorization policy revokes the rogue laptops authentication. Because the truly unauthenticated won't have a clue what they are authorized to access at the portal. Sounds perfect doesn't it? But it does not have to be automated. I am not introducing anything new here, just advocating a shift in the way systems are administered or policed.

You used your VPN as an example, I look at it like they are web users. We don't know who is out there, who has a valid account or not UNTIL they hit my first leg of the perimeter. I don't consider them part of the perimeter until they invoke the authentication process and my web site verifies they are who they say they were. Once that is done, they are inside the perimeter and moving about making changes and mucking about hiting additional instances of authentication once in a while and alot of authorization checks. And most importantly they are being audited before processing requests in the core. And then once again outside IT.