Home page logo

nanog logo nanog mailing list archives

Re: Port blocking last resort in fight against virus
From: "Christopher L. Morrow" <chris () UU NET>
Date: Wed, 13 Aug 2003 22:37:31 +0000 (GMT)

On Wed, 13 Aug 2003, Steven M. Bellovin wrote:

In message <Pine.GSO.4.53.0308131452310.19594 () rampart argfrp us uu net>, "Chris
topher L. Morrow" writes:

This is the point, atleast I, have been trying to make for 2 years... end
systems, or as close to that as possible, need to police themselves, the
granularity and filtering capabilities (content filtering even) are
available at that level alone.

It's just not possible.

Believe it or not, I don't much like firewalls.  But see slide 5 of a
talk I gave in May, 1994 (http://www.research.att.com/~smb/talks/firewalls.ps
or http://www.research.att.com/~smb/talks/firewalls.pdf) for why we
need them.  We'll *always* have buggy code.

... long message trimmed ....

I'm not entirely sure where you have shown that 'filtering as close to the
end system as possible' is not possible. You mention that in extreme
circumstances ISP's might have to step in to save the network from itself,
which I agreed much earlier was the case. You did not, however, show that
end systems and their local admin gruops can't police their own networks
and help to make these problems much more difficult and noisy.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]