[60538] in North American Network Operators' Group
Re: Port blocking last resort in fight against virus
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Wed Aug 13 18:38:38 2003
Date: Wed, 13 Aug 2003 22:37:31 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: "Steven M. Bellovin" <smb@research.att.com>
Cc: Mans Nilsson <mansaxel@sunet.se>,
"Stephen J. Wilcox" <steve@telecomplete.co.uk>,
Petri Helenius <pete@he.iki.fi>, nanog@merit.edu
In-Reply-To: <20030813190353.56E187B43@berkshire.research.att.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 13 Aug 2003, Steven M. Bellovin wrote:
> In message <Pine.GSO.4.53.0308131452310.19594@rampart.argfrp.us.uu.net>, "Chris
> topher L. Morrow" writes:
>
> >This is the point, atleast I, have been trying to make for 2 years... end
> >systems, or as close to that as possible, need to police themselves, the
> >granularity and filtering capabilities (content filtering even) are
> >available at that level alone.
> >
>
> It's just not possible.
>
> Believe it or not, I don't much like firewalls. But see slide 5 of a
> talk I gave in May, 1994 (http://www.research.att.com/~smb/talks/firewalls.ps
> or http://www.research.att.com/~smb/talks/firewalls.pdf) for why we
> need them. We'll *always* have buggy code.
... long message trimmed ....
I'm not entirely sure where you have shown that 'filtering as close to the
end system as possible' is not possible. You mention that in extreme
circumstances ISP's might have to step in to save the network from itself,
which I agreed much earlier was the case. You did not, however, show that
end systems and their local admin gruops can't police their own networks
and help to make these problems much more difficult and noisy.
