North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: On the back of other 'security' posts....
Subject: RE: On the back of other 'security' posts.... Date: Sat, Aug 30, 2003 at 11:51:02PM -0700 Quoting Owen DeLong (email@example.com): > > > That depends on your definition of edge, I suppose. I define it as the > port on one of my routers where the other end of the link is connected > to a machine I don't control. In those terms, edge filtering makes sense > in some cases and not in others. If it's a dial-up or T1 customer which is > a single business, it makes sense. If it's an ISP with a few fortune 500 > customers, it doesn't work out as well. I'd go with Chris view here. Let me try to define why I think so: A device on the network should: * Protect themselves against external threat. * Enforce sense and order in what they allow. * Only try protecting others when they have full knowledge of what they are protecting. This leads to: * Only trust authenticated logins, do as much as possible away with using the network address as a authenticator, except for trivial stuff like perhaps printing. * Stop spoofing by filtering routing. - It is not rocket science to put spoofing filters on CPEs. - More complex in backbones or in multi homed setups. - Enforce some kind of prefix/AS path checks on peerings. Routers know this, and excel at routing or not. They sometimes suck at dropping packets (at least in a controlled fashion). * Filter on the host, where knowledge is maximal (Which hosts do I want to talk to, and by which means?) and collateral damage is minimal (no other activities on other hosts are blocked) * Do not impose general blocks over large user bases. The resulting productivity hit, coupled with the mess of exceptions to be managed will cause more trouble than is won by blocking. * Be prepared to reevaluate in crisis situations. -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE I just remembered something about a TOAD!  Any IP-speaking box, be it router, switch, host.  meaning anything not in my box, coming from LAN or console.