[52996] in North American Network Operators' Group
How to secure the Internet in three easy steps
daemon@ATHENA.MIT.EDU (Sean Donelan)
Fri Oct 25 13:14:53 2002
Date: Fri, 25 Oct 2002 13:14:22 -0400 (EDT)
From: Sean Donelan <sean@donelan.com>
To: nanog@merit.edu
In-Reply-To: <15800.27072.17552.388632@world.std.com>
Errors-To: owner-nanog-outgoing@merit.edu
Assuming no time, money, people, etc resource constraints; securing the
Internet is pretty simple.
1. Require all providers install and manage firewalls on all subscriber
connections enforcing source address validation.
2. Prohibit subscribers from running services on their own machines. Only
approved provider managed servers should provide services to users.
3. Prohibit direct subscriber-to-subscriber communication, except through
approved NSP protocol gateways. Only approved NSP-to-NSP proxied traffic
should be exchanged between network providers.
Are there some down-sides? Sure. But who really needs the end-to-end
principle or uncontrolled innovation.
"No, the electric telegraph is not a sound invention. It will always be
at the mercy of the slightest disruption, wild youths, drunkards, bums,
etc.... The electric telegraph meets those destructive elements with
only a few meters of wire over which supervision is impossible. A
single man could, without being seen, cut the telegraph wires leading
to Paris, and in twenty-four hours cut in ten different places the
wires of the same line, without being arrested."
- Dr. Barbay, Paris France, 1846
