layered security for the modern Internet
Looking at last week's NANOG posts: SAV... 30% of spam from h4x0r3d boxen... bagle... It seems the original definition and ideology of layered security are outdated. Layered security now means: * Do nothing at a given layer if the problem can be solved, or partially solved, at another layer; * If a problem cannot be completely solved at a given layer, do nothing at that layer; * Approach the problem by arguing on NANOG over who has the most representative analogy. Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses : blacklist@brics.com -or- alfra@intc.net -or- curbjmp@intc.net Sending mail to spambait addresses is a great way to get blocked.
Eddy, My favorite idiom is; "You're either part of the problem or part of the solution." What's your solution? Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of E.B. Dreger Sent: Sunday, March 07, 2004 12:32 PM To: nanog@merit.edu Subject: layered security for the modern Internet Looking at last week's NANOG posts: SAV... 30% of spam from h4x0r3d boxen... bagle... It seems the original definition and ideology of layered security are outdated. Layered security now means: * Do nothing at a given layer if the problem can be solved, or partially solved, at another layer; * If a problem cannot be completely solved at a given layer, do nothing at that layer; * Approach the problem by arguing on NANOG over who has the most representative analogy. Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses : blacklist@brics.com -or- alfra@intc.net -or- curbjmp@intc.net Sending mail to spambait addresses is a great way to get blocked.
CJW> Date: Sun, 7 Mar 2004 12:56:35 -0700 CJW> From: Christopher J. Wolff CJW> My favorite idiom is; "You're either part of the problem or CJW> part of the solution." Thanks for your contribution. CJW> What's your solution? There's no one single answer. That's the whole point. The closest thing to a single answer would be "shift the cost of failure to the responsible party", but that's still insufficient. One must use many tactics -- prefix-list, filter-list, customer education, SAV, etc. -- and expect the same from upstreams, peers, and downstreams. Note that it's much easier to ask something of others when one has demonstrated willingness to do the same. Software vendors should be held more accountable for exploitable bugs that go unfixed. Admins should be held more accountable for systems that go unpatched. I realize not every car owner is a mechanic, but car owners who drive oil-burning, tailpipe-dragging jalopies with no headlights quickly learn that's no excuse. What about using a non-executable stack segment in $os on platforms where that's possible/necessary? Teaching about buffer overruns and race conditions in elementary programming classes sounds worthy to me, too. In short: My solution is for all these _parts_ of the answer to receive the attention and action they deserve. It's a bit harder than griping on NANOG about the lack of turnkey answer every three weeks, but probably at least effective enough to warrant a bit of attention. People gripe about the cost of exploits and attacks, yet complain about the costs of preventative measures. If the preventative measures are too expensive, then evidently the consequences are acceptable. That said, I'm eagerly awaiting your silver bullet. (Or are you part of the problem?) Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses : blacklist@brics.com -or- alfra@intc.net -or- curbjmp@intc.net Sending mail to spambait addresses is a great way to get blocked.
participants (2)
-
Christopher J. Wolff -
E.B. Dreger