[52999] in North American Network Operators' Group
Re: How to secure the Internet in three easy steps
daemon@ATHENA.MIT.EDU (Paul Vixie)
Fri Oct 25 14:12:20 2002
To: nanog@merit.edu
From: Paul Vixie <vixie@vix.com>
Date: 25 Oct 2002 18:11:47 +0000
In-Reply-To: <Pine.GSO.4.40.0210251239590.29380-100000@clifden.donelan.com>
Errors-To: owner-nanog-outgoing@merit.edu
> Assuming no time, money, people, etc resource constraints; securing the
> Internet is pretty simple.
>
> 1. Require all providers install and manage firewalls on all subscriber
> connections enforcing source address validation.
>
> 2. Prohibit subscribers from running services on their own machines. Only
> approved provider managed servers should provide services to users.
>
> 3. Prohibit direct subscriber-to-subscriber communication, except through
> approved NSP protocol gateways. Only approved NSP-to-NSP proxied traffic
> should be exchanged between network providers.
>
> Are there some down-sides? Sure. But who really needs the end-to-end
> principle or uncontrolled innovation.
i can see how the end to end principle applies in cases 2 and 3, but not 1.
--
Paul Vixie
