"sd" == Sean Donelan <sean@donelan.com> writes:
sd> On Tue, 26 Feb 2002, Richard A Steenbergen wrote:
A lot of those protocols have people looking at them on a regular basis, and they still manage to come up with obscure exploits noone else noticed (ex: 23mb of buffer overflows to exploit telnetd).
sd> So what is the solution for a public network operator. I attended sd> a presentation last week where a Checkpoint reseller suggested the sd> client needed to buy eight Checkpoint firewalls to protect a sd> single web server. I was impressed, what about the undercoating sd> and scotchguard fabric protector. That's actually a possibility, soon as they support OC-192 interfaces ;) Stay away from the undercoating, but the ScotchGuard(tm) is definitely worth it! sd> Is it time to fall back in punt? How would you architect a backbone if sd> you could do it over? Security is not about making things foolproof. They'll always be able to break you, no matter what you do. Security is about assuming acceptable risk, and mitigating unacceptable risk. This whole recent mess has actually gone over fairly cleanly. The vast majority of public infrastructure seems to have been patched with a fair amount of speed, and nobody's noticed any serious outages due to it. Apparently, the risk we assumed was acceptable, and when it became unacceptable, it was mitigated quickly enough. If I could do it over? I'd get in my Tardis, and go back to 1969. I'd teach everyone at DARPA how to spell security. Loose source route, IP options in general, ICMP address mask requests, all these things should go away. sd> Is the complexity of SSH code worth the protection? Or is it better sd> never to access your routers through VTY ports, and always use an sd> reverse-terminal server to the console from an out-of-band management sd> LAN? Console is slow, logs can easily DoS a 9600 baud line. It only allows one connection. Good fallback point, operationally does not scale. SSH is worth the protection, as reference implementations are available, and it requires very little in the way of system support. As long as in-band access to routers is required, SSH (or HTTPS or IPSec) will be with us. As time passes, the quality of the tools that we have to work with improves, and our trust in them can grow. The official answer is control plane separation. This worked for the PSTN, and it's the way the Internet will go, eventually. ericb -- Eric Brandwine | Things should be as simple as possible, but not simpler. UUNetwork Security | ericb@uu.net | +1 703 886 6038 | - Albert Einstein Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E