Does it make sense to implement a security protocol at one layer alone? Consider the OSI layered communication model. If a security suite is implemented at the application layer alone, it cannot possibly address attacks mounted on a lower layer, can it? This is because the application layer, by definition of the layered network architecture is imperceptible to the existence of lower layers. The logical next step is to propose that each layer have its own security suite. But is this a good approach? Meaning that does this effectively address the set of threats at various layers, or does it leave loopholes open to be exploited?
I feel a cross-layered approach to security is essential. Building in security into a communication system as an afterthought and in a layer-by-layer fashion is sloppy engineering!
Another point to ponder about is whether securing a lower layer has any (provable) effect on the vulnerability of higher layers. If it does, then it might serve us well to focus on a bottom-up approach to security.
