[98420] in North American Network Operators' Group
RE: large organization nameservers sending icmp packets to dns servers.
daemon@ATHENA.MIT.EDU (Jamie Bowden)
Wed Aug 8 12:00:56 2007
Date: Wed, 8 Aug 2007 11:59:07 -0400
In-Reply-To: <20070807143104.E5145@sprockets.gibbard.org>
From: "Jamie Bowden" <jamie@photon.com>
To: "Steve Gibbard" <scg@gibbard.org>, "Nanog" <nanog@nanog.org>
Errors-To: owner-nanog@merit.edu
Forgive my broken formatting, but LookOut, it's Microsoft! Is what we
use, period.
I have a question related to what you posted below, and it's a pretty
simple one:
How is answering a query on TCP/53 any MORE dangerous than answering it
on UDP/53? Really. I'd like to know how one of these security nitwits
justifies it. It's the SAME piece of software answering the query
either way.
Jamie Bowden
--=20
"It was half way to Rivendell when the drugs began to take hold"
Hunter S Tolkien "Fear and Loathing in Barad Dur"
Iain Bowen <alaric@alaric.org.uk>
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Steve Gibbard
Sent: Tuesday, August 07, 2007 6:10 PM
To: Nanog
Subject: Re: large organization nameservers sending icmp packets to dns
servers.
On Tue, 7 Aug 2007, Donald Stahl wrote:
> It has nothing to do with judging how one runs their network or any
other=20
> such nonsense. The RFC's say TCP 53 is fine. If you don't want to
follow the=20
> rules, fine, but have the temerity to admit that it is stupid.
I don't want to wade into this particular argument, which doesn't seem
to=20
be going anywhere useful. But I think the style of the argument causes=20
some problems that trickle into network operations, and should be=20
addressed.
The problem with this argument is that, while it may be entirely
correct,=20
it's unlikely to convince the people who matter. The people who matter=20
are the people who write the checks for the networks we work on.
Successful managers (and successful engineers) generally get pretty good
at doing cost benefit analyses. Since there are many decisions where=20
there isn't one obvious answer, they learn instead to think in terms of=20
each choice providing some benefits and having some costs, and doing the
things where the benefits outweigh the costs.
In the firewall case, as Kevin said, there are probably people going to=20
the decision makers and talking about the importance of keeping things=20
closed up. Every open firewall rule, they'll say, creates the potential
for an attack. Any attack could cause down time, unauthorized sharing
of=20
confidential data, loss of files people have spent the last several
years=20
working on, and more. Therefore, the cost of an open firewall rule
could=20
potentially be millions of dollars. The value of any service enabled by
a=20
hole in the firewall had better be more than that.
Is this argument valid? Maybe not. But the money people who make the=20
decisions probably don't have the technical expertise to analyse it.=20
Even if they suspect that the case for the policy is overstated, they'll
associate some cost with ignoring the advice of their security people,
as=20
they probably should.
So, what's somebody who objects to such an argument to do?
You could go to management and say, "the security people are wrong. The
standard says we must open more ports. To not do so would be wrong."=20
But you may not like the choice this presents management with. On one=20
side, they've got you telling them to follow an arbitrary standard,=20
because not doing so would be wrong. On the other side, they're being=20
told that taking your advice could cost millions of dollars. Losing=20
millions of dollars as a result of a refusal to heed warnings would=20
probably get them fired, or worse. Pointing at an arbitrary standard=20
after things had gone wrong probably wouldn't get them very far.
Alternatively, you too could start speaking their cost benefit language.
You could assail the security peoples' cost figures, although at that=20
point you'd be asking them to distrust other employees and they might=20
wonder if they should distrust you instead. Or you could point out the=20
costs of leaving the port closed, or possible benefits of leaving it
open.=20
If you can tell them that some fraction of their customers aren't able
to=20
get to them because of the closed port, and that those would be
customers=20
represent some large amount of revenue, you'll show that there's actual=20
benefit to having the port open. If that benefit is greater than the=20
potential loss they're being told about, you might actually win the=20
argument. If you have some evidence to back up your numbers, you may
have=20
more credibility, and be able to win the argument with lower numbers.
Or, you may find that you're not as right as you thought you were. You=20
may find that what you were advocating doesn't seem to have any concrete
benefit, and that what the other side was saying has some merit. That
may=20
not happen in this case, but sooner or later you'll probably find one=20
where it does.
-Steve
