On Sun, 09 Mar 2003 11:50:04 CST, Jack Bates <jbates@brightok.net> said:
So I'm curious what people think. We have semi centralized various things in the past such as IP assignments and our beloved DNS root servers. Would it not also make sense to handle common security checks in a similar manner? In
IP assignments are factual things of record - AS1312 has 198.82/16 and 128.173/16, and no amount of value judgments will change that. And yet, there's scattered complaints about what it takes to get a /19 to multihome. DNS servers are similarly "things of record". This organization has this domain, and their servers are found where the NS entries point. And the dispute resolution process is, in a word, a total mess - how many *years* has the sex.com debacle dragged on now? So who do you trust to be objective enough about a centralized registry of security, especially given that there's no consensus on what a proper level of security is? And if there's a problem, what do you do? In our case, do you ban an entire /16 because one chucklehead sysadmin forgot to patch up IIS (or wasn't able to - I know of one case where one of our boxes got hacked while the primary sysadmin was recovering from a heart bypass). Dropping a note to our abuse@ address will probably get it fixed, but often we're legally not *ABLE* to say much more than "we got your note and we'll deal with the user" - Buckley Amendment is one of those laws that I'm glad is there, even if it does make life difficult sometimes.
needs to be done? Would it not be better to have a single test suite run against a server once every six months than the constant bombardment we see now?
I submit to you the thesis that in general, the sites that are able to tell the difference between these two situations are not the sites that either situation is trying to detect. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech