Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: On the back of other 'security' posts....

  • From: Mans Nilsson
  • Date: Sun Aug 31 09:30:13 2003

Subject: RE: On the back of other 'security' posts.... Date: Sat, Aug 30, 2003 at 11:51:02PM -0700 Quoting Owen DeLong (owen@delong.com):
> >
> That depends on your definition of edge, I suppose.  I define it as the
> port on one of my routers where the other end of the link is connected
> to a machine I don't control.  In those terms, edge filtering makes sense
> in some cases and not in others.  If it's a dial-up or T1 customer which is
> a single business, it makes sense.  If it's an ISP with a few fortune 500
> customers, it doesn't work out as well.

I'd go with Chris view here. Let me try to define why I think so: 

A device[0] on the network should:

* Protect themselves against external[1] threat. 

* Enforce sense and order in what they allow. 
 
* Only try protecting others when they have full knowledge of what
  they are protecting.

This leads to: 

* Only trust authenticated logins, do as much as possible away with 
  using the network address as a authenticator, except for trivial
  stuff like perhaps printing. 

* Stop spoofing by filtering routing. 
  -	It is not rocket science to put spoofing filters on CPEs. 
  -	More complex in backbones or in multi homed setups. 
  -	Enforce some kind of prefix/AS path  checks on peerings. 
  Routers know this, and excel at routing or not. They sometimes
  suck at dropping packets (at least in a controlled fashion).

* Filter on the host, where knowledge is maximal (Which hosts do I
  want to talk to, and by which means?) and collateral damage is
  minimal (no other activities on other hosts are blocked)

* Do not impose general blocks over large user bases. The resulting
  productivity hit, coupled with the mess of exceptions to be 
  managed will cause more trouble than is won by blocking. 

* Be prepared to reevaluate in crisis situations. 

-- 
Måns Nilsson         Systems Specialist
+46 70 681 7204         KTHNOC
                        MN1334-RIPE

I just remembered something about a TOAD!

[0] Any IP-speaking box, be it router, switch, host. 
[1] meaning anything not in my box, coming from LAN or console.

Attachment: pgp00078.pgp
Description: PGP signature




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.