In a message written on Sat, Oct 18, 2003 at 12:26:21PM -0400, Eric Gauthier wrote:
Again, I definitely agree with the IAB's recommendation. However, its difficult to defend this point of view in practice since most of the equipment does basic packet filtering in hardware or with minimal cost to peformance. So, I just can't figure out how to sit in front of our administration and justify the replacement of a zero-cost solution with the cost of added staff and equipment to mitigate these security risks, especially when the up side is just not "limiting the potential for deployment of future applications".
Well, but you've hit the nail on the head. The fitler solution is _NOT_ zero cost, it is deferred cost. I suggest you phrase it that way. It's a way of deferring the cost to later, with interest. The longer you use it, the higher that interest payment will be, in the form of new and different attacks you can't block. Phrasing it to the bean counters that it is deferring the cost, with interest, and suggesting that simultaneously some money be spent on user education, better software, or whatever is appropriate to insure you don't have a "huge baloon payment" later might help put it in terms they can understand. Similar parallels can be drawn to antibiotics -- the over use will eventually render them ineffective. It's a very similar situation, and sometimes you have to just invest in not getting sick in the first place (wash your hands...patch your system). -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org