North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: HTTP proxies, was Re: Operational Issues with 126.96.36.199/8...
- From: Michael.Dillon
- Date: Tue Dec 10 10:26:07 2002
> >> How do we get software vendors (free, pay, virus) to distribute
> >> software with appropriate defaults?
> michael> Second step, publish a directory. I.e. detect the
> michael> non-conforming devices and publish their IP addresses in an
> michael> LDAP server.
> Let me get this straight, you are suggesting that the way to fix the
> problem that there are potentially millions of insecure machines
> connected to the Internet is to *PUBLISH* the IP addresses of all of
> them in an easy to parse format? Cute.
Yes, more or less. I am suggesting that people who have *detected* a
vulnerability and wish to publicize this fact should publish their lists
in a standard format and make it available via a standard protocol like
LDAP. Since the number of *detected* vulnerable hosts is a lot lower than
the total number of vulnerable hosts this is not as big as you think. And
since one has to *detect* the vulnerability before publishing it, the
scaling issue with detection is more of an issue than with publishing.
Besides LDAP has proven to be scalable to very large databases. LDAP was
developed as a light-weight system so that it could be scaled massively.
> Don't tell me...we'll be able to pull the vulnerability that got the
> hosts in the list too, so we can verify that "our" machines are,
> indeed, misconfigured? ;-)
Sure, why not? If someone is going to the trouble of collecting the
information and publishing it, then they should publish this as well.
After all, when you query an LDAP server you can specify which fields you
want to retrieve. Applications that don't need the vulnerability info
won't bother asking for it.