----- Original Message ----- From: <Valdis.Kletnieks@vt.edu> To: "Jack Bates" <jbates@brightok.net> Cc: <nanog@merit.edu> Sent: Sunday, March 09, 2003 12:31 PM Subject: Re: Question concerning authoritative bodies.
So who do you trust to be objective enough about a centralized registry of security, especially given that there's no consensus on what a proper level of security is? And if there's a problem, what do you do? In our case, do you ban an entire /16 because one chucklehead sysadmin forgot to patch up IIS (or wasn't able to - I know of one case where one of our boxes
There are private systems in use today like NJABL which act as centralized resources. I believe that it is possible to come to an agreement on a standardized test suit that can be used and what the variables concerning # of scans and how frequent should be set to. I'm not suggesting a full security evaluation of networks, but a detection mechanism that can be used as a resource to recognized standard issues, primarily protecting email which is one of our most utilized resources.
I submit to you the thesis that in general, the sites that are able to tell the difference between these two situations are not the sites that either situation is trying to detect.
I agree for the most part (excluding RoadRunner given recent events). However, the sites that are able to tell the difference suffer the costs of scans just the same while everyone tries to detect those unable to tell the difference. And as I mentioned, you always have situations like RoadRunner arise where a detection was needed, but they are able to detect the scans and issue complaints even when they were in fault. The goal is to provide a service that many require to limit the amount of noise currently generated. I do not think that we can necessarily scan and analyze every security problem. However, I do think that there are no-brainer security issues that can be detected which the public demands they be protected from. In particular open SMTP relay and unsecured proxy/socks servers. Detection, of say, the latest sendmail or saphire exploits is not as critical. We can passively detect these things from their own abuse. We cannot passively detect open proxies and smtp relays. -Jack