[164292] in North American Network Operators' Group
Re: Ciena 6200 clue?
daemon@ATHENA.MIT.EDU (Jeff Shultz)
Wed Jul 3 17:32:48 2013
X-RC-FROM: <jeffshultz@wvi.com>
Date: Wed, 03 Jul 2013 13:03:46 -0700
From: Jeff Shultz <jeffshultz@wvi.com>
To: NANOG list <nanog@nanog.org>
In-Reply-To: <CDF9FAC1.97F1F%paul@paulstewart.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 7/3/2013 1:00 PM, Paul Stewart wrote:
> On 2013-07-03 3:57 PM, "Brandon Ross" <bross@pobox.com> wrote:
>>
>> Everyone knows that attacks against your management interface come
>> from devices not on your management network. By removing the
>> default gateway feature, Ciena is improving the security of your
>> network.
>>
>> It's time we created a BCOP specifying that default gateway
>> functionality be disabled or removed in all network deployments, in
>> the interest of security. Security improvements realized in the
>> last few years by dropping all ICMP and TCP DNS at firewall
>> boundaries, not to mention universal deployment of NAT, were just
>> the first few steps to creating a much more secure Internet.
>>
>> Once disablement of default gateway functionality has been become
>> a common practice, the natural reduction in traffic on the Internet
>> should allow most operators to achieve enormous cost savings by
>> powering off all of their equipment.
>>
> Awesome - sorry, can't resistŠ. :)
>
Ah, somehow my eyeballs glazed over the excellent sarcasm that was made
evident in the last paragraph....
Either way, my point remains: I want the option. I suspect I'm not alone...
--
Jeff Shultz
