TaoSecurity: Marcus Ranum Highlights from USENIX Class
There's some very good points here in TaoSecuritys summary of a Marcus Ranum session at Usenix.
I've not seen the original talk but the summary makes me wish I'd been there.
The point on the perimeter being a complexity management tool is very well made in reference to de-perimeterization. It's all very well saying that each individual device needs to be able to stand alone from a security perspective but it's still a lot easier to manage the security of the wider environment when you've got some control over what can get in at all, and the perimeter can and does provide that.
The points about quantification problems seem to have provoked a response from Alex . I actually think having seen these arguments come up repeatedly on blogs and on the CISSP forum and also having started reading "Security Metrics" by Andrew Jaquaith, that there's less distance between the people who are strong proponents of quantitative analysis and those who are proponents of qualitative analysis. One thing that has struck me in these debates is when you look at the examples on both sides they tend to be in different areas of security.
My feeling is that there needs to be a mix of the two styles depending on where they're most appropriate, but I'll reserve expanding on that till I've sorted my thoughts on the matter out better as it's a bit of a minefield...