mailing list archives
Re: On the back of other 'security' posts....
From: Mans Nilsson <mansaxel () sunet se>
Date: Sun, 31 Aug 2003 15:27:30 +0200
Subject: RE: On the back of other 'security' posts.... Date: Sat, Aug 30, 2003 at 11:51:02PM -0700 Quoting Owen DeLong
(owen () delong com):
That depends on your definition of edge, I suppose. I define it as the
port on one of my routers where the other end of the link is connected
to a machine I don't control. In those terms, edge filtering makes sense
in some cases and not in others. If it's a dial-up or T1 customer which is
a single business, it makes sense. If it's an ISP with a few fortune 500
customers, it doesn't work out as well.
I'd go with Chris view here. Let me try to define why I think so:
A device on the network should:
* Protect themselves against external threat.
* Enforce sense and order in what they allow.
* Only try protecting others when they have full knowledge of what
they are protecting.
This leads to:
* Only trust authenticated logins, do as much as possible away with
using the network address as a authenticator, except for trivial
stuff like perhaps printing.
* Stop spoofing by filtering routing.
- It is not rocket science to put spoofing filters on CPEs.
- More complex in backbones or in multi homed setups.
- Enforce some kind of prefix/AS path checks on peerings.
Routers know this, and excel at routing or not. They sometimes
suck at dropping packets (at least in a controlled fashion).
* Filter on the host, where knowledge is maximal (Which hosts do I
want to talk to, and by which means?) and collateral damage is
minimal (no other activities on other hosts are blocked)
* Do not impose general blocks over large user bases. The resulting
productivity hit, coupled with the mess of exceptions to be
managed will cause more trouble than is won by blocking.
* Be prepared to reevaluate in crisis situations.
Måns Nilsson Systems Specialist
+46 70 681 7204 KTHNOC
I just remembered something about a TOAD!
 Any IP-speaking box, be it router, switch, host.
 meaning anything not in my box, coming from LAN or console.
Re: On the back of other 'security' posts.... Matthew Sullivan (Aug 31)
Re: On the back of other 'security' posts.... Paul Vixie (Aug 30)
RE: On the back of other 'security' posts.... Greenhalgh, John (Aug 31)