Okay, I'll bite... --- Sean Donelan <sean@donelan.com> wrote:
On Fri, 21 Feb 2003, Martin Hannigan wrote:
Isn't your NOC normally vigilant?
Of course.
Perhaps even use different sets of ACL's on the edge, etc. It could also be used to explain an unexpected surge in traffic, calls, or other things. Ever look at some traffic stats and see a major surge and want to make sure you understand why?
Again wouldn't you also do all of these things "normally?" If an ACL is a good idea at "Orange" wouldn't you protect your network with those ACL's when the level is "Yellow." Or would you remove those ACL's when the threat level is reduced. How do would you explain to your management when you are hacked at level "Yellow" you had better ACL's, but you only used the good ACL's at level "Orange."
Well, an example could be "if threat level is yellow, permit traffic from $foreign_country_x, but if it goes to orange, deny all from $foreign_country_x, or perhaps log all from there. I know that there are certain ISPs which deny all mail traffic from certain ASes, because of the volume of Spam. The same principle could be at work here: if (threat_level++) then deny(unknown_from_Source[nasty]) else permit. -David Barak fully RFC 1925 compliant __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/