On Wed, 18 Sep 2002, Sean Donelan wrote:
I would love to see some proposals from different ISPs how they view the Internet (or ISP) security architecture. Cisco, Sun, Lucent and Telcordia have vendor architectures. But what architecture work for real ISPs? What can we point to as a "good" Internet security architecture? Is there a difference between what works for a small, medium or large ISP?
What exactly to do mean by "security architecture"? Many network security efforts seem to be inspired by Descartes. Several centuries ago, this very smart man sat down in front of the fire several nights in a row and started doubting everything he could possibly doubt. Senses, memory, everything. After all, everything that seems real may in fact be an illusion created by a "malicious demon". (No, he wasn't talking about a worm or trojan.) I'm not sure what his conclusion which can be simplified as "I think, therefore I am", would translate to. Maybe "I encrypt, therefore I am secure"? Anyway, in our efforts to see security weaknesses everywhere, we might be going too far. For instance, nearly all our current protocols are completely vulnerable to a man-in-the-middle attack. If someone digs up a fiber, intercepts packets and changes the content before letting them continue to their destination, maybe the layer 1 guys will notice, but not any of us IP people. So what should we do? It seems each and every protocol is now trying to solve the exact same problem. A better solution would be to adopt IPSec throughout the net. But that doesn't protect you from a denial of service attack: the man in the middle can just discard your packets. Even worse, if you have to do crypto for every packet you receive, an attacker can simply send packets that only turn out invalid after performing expensive cryptographic operations and have you burn CPU cycles like it's going out of style. What we need are realistic expectations. Yes, the internet is vulnerable to some degree, but the risks are nothing to worry about relative to eating food that strangers have prepared or driving at high speed between many bad-tempered people who are all armed with a ton of steel. For regular day-to-day stuff such as off-topic rants and downloading copyrighted material, the vulnerabilities that exist aren't really an issue: the expense and effort to break into a _network_ (rather than just some box connected to it) is not worth the gain. And for things that are more sensitive: refer to the end-to-end principle. SSL isn't perfect, but it's widely available. IPSec is more perfect, but less available. They'll both run fine over the current network. However, that doesn't mean we can lean back do nothing. Some protocols are really too insecure. Please be assured that these problems have the attention of the IETF. Everyone should feel free to donate time to help develop newer, more secure protocols or newer, more secure versions of old ones. In the mean time, many people are still doing things they shouldn't, and not doing things they should. If properly implemented, it is very hard to break BGP. But that means everyone has to use antispoofing packet filters, have strict filtering on the routes they accept from their customers and preferably on those they accept from their peers as well, and use TCP MD5 password protection on all BGP sessions. That's something we can all do before the month is out and it will actually make the net more secure without breaking anything. Iljitsch van Beijnum