[147602] in North American Network Operators' Group
Re: Is AS information useful for security?
daemon@ATHENA.MIT.EDU (Justin M. Streiner)
Thu Dec 15 09:45:37 2011
Date: Thu, 15 Dec 2011 09:44:39 -0500 (EST)
From: "Justin M. Streiner" <streiner@cluebyfour.org>
To: nanog@nanog.org
In-Reply-To: <OF2C8CE79A.2D50A70F-ON85257967.004D5B9F-85257967.004D8221@csc.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, 15 Dec 2011, Joe Loiacono wrote:
> Is a good knowledge of either origin-AS, or next-AS with respect to flows
> valuable in establishing, monitoring, or re-enforcing a security posture?
> In what ways?
If I'm understanding your question correctly, I think it can be helpful,
to a degree. It's always good to 'know your neighbors', but for the most
part I don't think an organization's security posture would change very
much, based strictly on next-AS. In the case of next-AS, you already
know your neighbors somewhat, because you have some sort of a business
relationship with them (your transit providers, peers, downstream
BGP-speaking customers, etc).
origin-AS could be another story. If you know of an AS that is being used
by the bad guys for bad purposes, you can write a routing policy to dump
all traffic to/from that AS into the bit bucket or take some other action
that could be dictated by your security policy. In that case, a routing
policy could be considered an extension of a security policy.
jms
