North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: large organization nameservers sending icmp packets to dns servers.
On Tue, 7 Aug 2007, Donald Stahl wrote:
It has nothing to do with judging how one runs their network or any other such nonsense. The RFC's say TCP 53 is fine. If you don't want to follow the rules, fine, but have the temerity to admit that it is stupid.
I don't want to wade into this particular argument, which doesn't seem to be going anywhere useful. But I think the style of the argument causes some problems that trickle into network operations, and should be addressed.
The problem with this argument is that, while it may be entirely correct, it's unlikely to convince the people who matter. The people who matter are the people who write the checks for the networks we work on.
Successful managers (and successful engineers) generally get pretty good at doing cost benefit analyses. Since there are many decisions where there isn't one obvious answer, they learn instead to think in terms of each choice providing some benefits and having some costs, and doing the things where the benefits outweigh the costs.
In the firewall case, as Kevin said, there are probably people going to the decision makers and talking about the importance of keeping things closed up. Every open firewall rule, they'll say, creates the potential for an attack. Any attack could cause down time, unauthorized sharing of confidential data, loss of files people have spent the last several years working on, and more. Therefore, the cost of an open firewall rule could potentially be millions of dollars. The value of any service enabled by a hole in the firewall had better be more than that.
Is this argument valid? Maybe not. But the money people who make the decisions probably don't have the technical expertise to analyse it. Even if they suspect that the case for the policy is overstated, they'll associate some cost with ignoring the advice of their security people, as they probably should.
So, what's somebody who objects to such an argument to do?
You could go to management and say, "the security people are wrong. The standard says we must open more ports. To not do so would be wrong." But you may not like the choice this presents management with. On one side, they've got you telling them to follow an arbitrary standard, because not doing so would be wrong. On the other side, they're being told that taking your advice could cost millions of dollars. Losing millions of dollars as a result of a refusal to heed warnings would probably get them fired, or worse. Pointing at an arbitrary standard after things had gone wrong probably wouldn't get them very far.
Alternatively, you too could start speaking their cost benefit language. You could assail the security peoples' cost figures, although at that point you'd be asking them to distrust other employees and they might wonder if they should distrust you instead. Or you could point out the costs of leaving the port closed, or possible benefits of leaving it open. If you can tell them that some fraction of their customers aren't able to get to them because of the closed port, and that those would be customers represent some large amount of revenue, you'll show that there's actual benefit to having the port open. If that benefit is greater than the potential loss they're being told about, you might actually win the argument. If you have some evidence to back up your numbers, you may have more credibility, and be able to win the argument with lower numbers.
Or, you may find that you're not as right as you thought you were. You may find that what you were advocating doesn't seem to have any concrete benefit, and that what the other side was saying has some merit. That may not happen in this case, but sooner or later you'll probably find one where it does.