[61619] in North American Network Operators' Group
Re: On the back of other 'security' posts....
daemon@ATHENA.MIT.EDU (Mans Nilsson)
Sun Aug 31 09:28:15 2003
Date: Sun, 31 Aug 2003 15:27:30 +0200
From: Mans Nilsson <mansaxel@sunet.se>
To: Owen DeLong <owen@delong.com>
Cc: Terry Baranski <tbaranski@mail.com>, nanog@merit.edu
In-Reply-To: <2147483647.1062287462@imac-en0.delong.sj.ca.us>
X-synced-from: Pilsnet
Errors-To: owner-nanog-outgoing@merit.edu
--UFHRwCdBEJvubb2X
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Subject: RE: On the back of other 'security' posts.... Date: Sat, Aug 30, 2=
003 at 11:51:02PM -0700 Quoting Owen DeLong (owen@delong.com):
> >
> That depends on your definition of edge, I suppose. I define it as the
> port on one of my routers where the other end of the link is connected
> to a machine I don't control. In those terms, edge filtering makes sense
> in some cases and not in others. If it's a dial-up or T1 customer which =
is
> a single business, it makes sense. If it's an ISP with a few fortune 500
> customers, it doesn't work out as well.
I'd go with Chris view here. Let me try to define why I think so:=20
A device[0] on the network should:
* Protect themselves against external[1] threat.=20
* Enforce sense and order in what they allow.=20
=20
* Only try protecting others when they have full knowledge of what
they are protecting.
This leads to:=20
* Only trust authenticated logins, do as much as possible away with=20
using the network address as a authenticator, except for trivial
stuff like perhaps printing.=20
* Stop spoofing by filtering routing.=20
- It is not rocket science to put spoofing filters on CPEs.=20
- More complex in backbones or in multi homed setups.=20
- Enforce some kind of prefix/AS path checks on peerings.=20
Routers know this, and excel at routing or not. They sometimes
suck at dropping packets (at least in a controlled fashion).
* Filter on the host, where knowledge is maximal (Which hosts do I
want to talk to, and by which means?) and collateral damage is
minimal (no other activities on other hosts are blocked)
* Do not impose general blocks over large user bases. The resulting
productivity hit, coupled with the mess of exceptions to be=20
managed will cause more trouble than is won by blocking.=20
* Be prepared to reevaluate in crisis situations.=20
--=20
M=E5ns Nilsson Systems Specialist
+46 70 681 7204 KTHNOC
MN1334-RIPE
I just remembered something about a TOAD!
[0] Any IP-speaking box, be it router, switch, host.=20
[1] meaning anything not in my box, coming from LAN or console.
--UFHRwCdBEJvubb2X
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)
iD8DBQE/UffC02/pMZDM1cURApvjAJ9MJD23XNmAGvJtjsChyqfh+PSz6ACeKez6
Xb3tn6P/a0hZeqLaf0t+LFs=
=p/Y3
-----END PGP SIGNATURE-----
--UFHRwCdBEJvubb2X--
