[29846] in North American Network Operators' Group
Re: RBL-type BGP service for known rogue networks?
daemon@ATHENA.MIT.EDU (John Kristoff)
Fri Jul 7 20:14:06 2000
Message-ID: <39666F37.3389BFC9@depaul.edu>
Date: Fri, 07 Jul 2000 19:00:55 -0500
From: John Kristoff <jtk@depaul.edu>
Reply-To: jtk@aharp.is-net.depaul.edu
MIME-Version: 1.0
To: nanog@merit.edu
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
rdobbins@netmore.net wrote:
> I certainly don't think that intrusion-detection makes sense for the
> backbones and NAPs and so forth, but when you get closer to the
> traffic-orginator/requestor boundaries of the network, it becomes more
> feasible, does it not?
Perhaps. It might be less detrimental to the entire Internet community
if only a edge customer's dynamic IDS/filtering system went haywire. It
then boils down to an organization's design and support philosophy.
Personally, I don't like the idea of messing with packets/streams in
transit unless it's route them, drop them (congestion) or mark them (IP
ToS bits/DiffServ). There of course may be a few instances where you
block an entire netblock (e.g. RFC 1918) or specific ports (e.g. snmp)
that are widely know to be insecure or invalid.
It seems easier in the long run (harder intially) to secure the end
systems. Maybe I'm just getting used to vendors automatically
configuring my network with the routing protocols and I'm not quite
ready for automatic ACL definitions based on traffic patterns. :-)
John
