Re: How to secure the Internet in three easy steps
Blocking ports 137-139 is of great benefit to the vast majority of their customers. It is also of benefit to AT&T, as it cuts down on support calls. Of course, documenting this would be good. - Daniel Golding On Sun, 27 Oct 2002, Joe wrote: > > I Second that. > > AT&T blocks ports (depending where you are) but won't come > right out and say it. On a call to them over a year ago > while testing DSL versus Cable in San Jose, it took almost an hour to get > them to admit that they were blocking ports 137-139, and even then there > was no formal acknowledgement of this blocking. > If I was a betting man, which I'm not, I'd bet on them blocking udp 53 as > well. > > No standard as I see it, depends on the child company managing the cable > service. > > Just my 2¢s tho > -Joe > > - Original Message - > From: "Joseph Barnhart" <[EMAIL PROTECTED]> > To: "Matthew S. Hallacy" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Sunday, October 27, 2002 8:46 PM > Subject: Re: How to secure the Internet in three easy steps > > > > > > Not really > > > > On Sun, 27 Oct 2002, Matthew S. Hallacy wrote: > > > > > > > > On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote: > > > > > > > > Sean, > > > > > > > > At Home's policy was that servers were administratively forbidden. It > > > > ran proactive port scans to detect them (which of course were subject > to > > > > firewall ACLs) and actioned them under a complex and changing rule > set. > > > > It frequently left enforcement to the local partner depending on > > > > contractual arrangements. It did not block ports. Non-transparent > > > > proxing was used for http - you could opt out if you knew how. > > > > > > > > While many DSL providers have taken up filtering port 25, the cable > > > > industry practice is mostly to leave ports alone. I know of one large > > > > > > Untrue, AT&T filters the following *on* the CPE: > > > > > > Ports / Direction / Protocol > > > > > > 137-139 -> any Both UDP > > > any -> 137-139 Both UDP > > > 137-139 -> any Both TCP > > > any -> 137-139 Both TCP > > > any -> 1080 Inbound TCP > > > any -> 1080 Inbound UDP > > > 68 -> 67Inbound UDP > > > 67 -> 68Inbound UDP > > > any -> 5000 Inbound TCP > > > any -> 1243 Inbound UDP > > > > > > And they block port 80 inbound TCP further out in their network. > Overall, > > > cable providers more heavily than cable providers. > > > > > > I'd say that AT&T represents a fair amount of the people served via > cable > > > internet. > > > > > > > > > > > Regards, > > > > > > > > Eric Carroll > > > > > > -- > > > Matthew S. HallacyFUBAR, LART, BOFH > Certified > > > http://www.poptix.net GPG public key > 0x01938203 > > > > > > > > > > > - > > Joseph Barnhart > > Florida Digital Turnpike > > Network Administrator > > http://www.fdt.net > > http://www.agilitybb.net > > - > > > > > > > > > >
Re: How to secure the Internet in three easy steps
On Mon, 28 Oct 2002 11:05:44 EST, [EMAIL PROTECTED] said: > They take a total revenue that's somehow gets associated with selling cable > and divide it by the price of the basic cable. The resulting number is the > number of subscribers that they claim to have. This of course is perfectly fine, as long as all subscribers are only paying the basic rate. Adjusting for the number of people who pay for premium services such as movie packages or cable-internet services without knowing the number of people that have that package is left as an exercise for the auditors and/or prosecutors... ;) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg06299/pgp0.pgp Description: PGP signature
RE: How to secure the Internet in three easy steps
Wow! They just don't count subscribers:). I realize one way makes more sense from a "we've got more subscribers than you do sense" but it wouldn't be that hard to count real subscribers one wouldn't think. On Mon, 28 Oct 2002 [EMAIL PROTECTED] wrote: > > > > In a public press release dated August, they claim to have > > > 1.8 million Internet customers. How that compares to the > > > global pool of cable users, I cannot say. > > > > One cable company I've done business here (Ontario, Canada) has over > > 500K subscribers, and I don't believe it has the largest number of cable > > modems in the country. So you're probably talking around 1.5-2 million > > cable modems north of the border. Then you have Europe (I think .nl has > > decent cable modem penetration), Asia-Pacific, etc. > > Very cute. It is clear that the posters forgot how cable industry "counts" > subscribers. The details came out during Adelphia bankruptcy. Since that > time every cable co basically said "yep, that's how we do it too". > > Here's counting subscribers the cable industry way: > > They take a total revenue that's somehow gets associated with selling cable > and divide it by the price of the basic cable. The resulting number is the > number of subscribers that they claim to have. > > > Alex > >
RE: How to secure the Internet in three easy steps
> > In a public press release dated August, they claim to have > > 1.8 million Internet customers. How that compares to the > > global pool of cable users, I cannot say. > > One cable company I've done business here (Ontario, Canada) has over > 500K subscribers, and I don't believe it has the largest number of cable > modems in the country. So you're probably talking around 1.5-2 million > cable modems north of the border. Then you have Europe (I think .nl has > decent cable modem penetration), Asia-Pacific, etc. Very cute. It is clear that the posters forgot how cable industry "counts" subscribers. The details came out during Adelphia bankruptcy. Since that time every cable co basically said "yep, that's how we do it too". Here's counting subscribers the cable industry way: They take a total revenue that's somehow gets associated with selling cable and divide it by the price of the basic cable. The resulting number is the number of subscribers that they claim to have. Alex
RE: How to secure the Internet in three easy steps
> -Original Message- > From: [EMAIL PROTECTED] [mailto:owner-nanog@;merit.edu] On > Behalf Of Christopher Schulte > Sent: October 27, 2002 9:22 PM > To: William Warren; [EMAIL PROTECTED] > Subject: Re: How to secure the Internet in three easy steps > > In a public press release dated August, they claim to have > 1.8 million Internet customers. How that compares to the > global pool of cable users, I cannot say. One cable company I've done business here (Ontario, Canada) has over 500K subscribers, and I don't believe it has the largest number of cable modems in the country. So you're probably talking around 1.5-2 million cable modems north of the border. Then you have Europe (I think .nl has decent cable modem penetration), Asia-Pacific, etc. > It'll be interesting to see if att exports their filtering > policies to the newly acquired customers. They'll want to > support a uniform configuration across the whole network, I'm sure. They apparently don't have a uniform configuration now; we have lots of people using AT&T BI complaining about blocked port 80s and whatnot, and yet we have some other AT&T BI users in different locations (but I think both were formerly-@Home AT&T BI areas) who don't have any ports blocked. Bizarre, I have to say. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
Re: How to secure the Internet in three easy steps
At 09:03 PM 10/27/2002 -0500, William Warren wrote: actually with the merger of At&t and comcast most cable inet customers will be through them. Until that happens however: In a public press release dated August, they claim to have 1.8 million Internet customers. How that compares to the global pool of cable users, I cannot say. It'll be interesting to see if att exports their filtering policies to the newly acquired customers. They'll want to support a uniform configuration across the whole network, I'm sure. --schulte
Re: How to secure the Internet in three easy steps
I Second that. AT&T blocks ports (depending where you are) but won't come right out and say it. On a call to them over a year ago while testing DSL versus Cable in San Jose, it took almost an hour to get them to admit that they were blocking ports 137-139, and even then there was no formal acknowledgement of this blocking. If I was a betting man, which I'm not, I'd bet on them blocking udp 53 as well. No standard as I see it, depends on the child company managing the cable service. Just my 2¢s tho -Joe - Original Message - From: "Joseph Barnhart" <[EMAIL PROTECTED]> To: "Matthew S. Hallacy" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Sunday, October 27, 2002 8:46 PM Subject: Re: How to secure the Internet in three easy steps > > Not really > > On Sun, 27 Oct 2002, Matthew S. Hallacy wrote: > > > > > On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote: > > > > > > Sean, > > > > > > At Home's policy was that servers were administratively forbidden. It > > > ran proactive port scans to detect them (which of course were subject to > > > firewall ACLs) and actioned them under a complex and changing rule set. > > > It frequently left enforcement to the local partner depending on > > > contractual arrangements. It did not block ports. Non-transparent > > > proxing was used for http - you could opt out if you knew how. > > > > > > While many DSL providers have taken up filtering port 25, the cable > > > industry practice is mostly to leave ports alone. I know of one large > > > > Untrue, AT&T filters the following *on* the CPE: > > > > Ports / Direction / Protocol > > > > 137-139 -> any Both UDP > > any -> 137-139 Both UDP > > 137-139 -> any Both TCP > > any -> 137-139 Both TCP > > any -> 1080 Inbound TCP > > any -> 1080 Inbound UDP > > 68 -> 67Inbound UDP > > 67 -> 68Inbound UDP > > any -> 5000 Inbound TCP > > any -> 1243 Inbound UDP > > > > And they block port 80 inbound TCP further out in their network. Overall, > > cable providers more heavily than cable providers. > > > > I'd say that AT&T represents a fair amount of the people served via cable > > internet. > > > > > > > > Regards, > > > > > > Eric Carroll > > > > -- > > Matthew S. HallacyFUBAR, LART, BOFH Certified > > http://www.poptix.net GPG public key 0x01938203 > > > > > > - > Joseph Barnhart > Florida Digital Turnpike > Network Administrator > http://www.fdt.net > http://www.agilitybb.net > - > > > >
Re: How to secure the Internet in three easy steps
On Sun, Oct 27, 2002 at 07:42:10PM -0600, Matthew S. Hallacy wrote: > > And they block port 80 inbound TCP further out in their network. Overall, > cable providers more heavily than cable providers. ^-- s/cable/DSL/; -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: How to secure the Internet in three easy steps
actually with the merger of At&t and comcast most cable inet customers will be through them. Joseph Barnhart wrote: Not really On Sun, 27 Oct 2002, Matthew S. Hallacy wrote: On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote: Sean, At Home's policy was that servers were administratively forbidden. It ran proactive port scans to detect them (which of course were subject to firewall ACLs) and actioned them under a complex and changing rule set. It frequently left enforcement to the local partner depending on contractual arrangements. It did not block ports. Non-transparent proxing was used for http - you could opt out if you knew how. While many DSL providers have taken up filtering port 25, the cable industry practice is mostly to leave ports alone. I know of one large Untrue, AT&T filters the following *on* the CPE: Ports / Direction / Protocol 137-139 -> any Both UDP any -> 137-139 Both UDP 137-139 -> any Both TCP any -> 137-139 Both TCP any -> 1080 Inbound TCP any -> 1080 Inbound UDP 68 -> 67Inbound UDP 67 -> 68Inbound UDP any -> 5000 Inbound TCP any -> 1243 Inbound UDP And they block port 80 inbound TCP further out in their network. Overall, cable providers more heavily than cable providers. I'd say that AT&T represents a fair amount of the people served via cable internet. Regards, Eric Carroll -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203 - Joseph Barnhart Florida Digital Turnpike Network Administrator http://www.fdt.net http://www.agilitybb.net - -- May God Bless you and everything you touch. My "foundation" verse: Isiah 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD.
Re: How to secure the Internet in three easy steps
Not really On Sun, 27 Oct 2002, Matthew S. Hallacy wrote: > > On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote: > > > > Sean, > > > > At Home's policy was that servers were administratively forbidden. It > > ran proactive port scans to detect them (which of course were subject to > > firewall ACLs) and actioned them under a complex and changing rule set. > > It frequently left enforcement to the local partner depending on > > contractual arrangements. It did not block ports. Non-transparent > > proxing was used for http - you could opt out if you knew how. > > > > While many DSL providers have taken up filtering port 25, the cable > > industry practice is mostly to leave ports alone. I know of one large > > Untrue, AT&T filters the following *on* the CPE: > > Ports / Direction / Protocol > > 137-139 -> any Both UDP > any -> 137-139 Both UDP > 137-139 -> any Both TCP > any -> 137-139 Both TCP > any -> 1080 Inbound TCP > any -> 1080 Inbound UDP > 68 -> 67Inbound UDP > 67 -> 68Inbound UDP > any -> 5000 Inbound TCP > any -> 1243 Inbound UDP > > And they block port 80 inbound TCP further out in their network. Overall, > cable providers more heavily than cable providers. > > I'd say that AT&T represents a fair amount of the people served via cable > internet. > > > > > Regards, > > > > Eric Carroll > > -- > Matthew S. HallacyFUBAR, LART, BOFH Certified > http://www.poptix.net GPG public key 0x01938203 > - Joseph Barnhart Florida Digital Turnpike Network Administrator http://www.fdt.net http://www.agilitybb.net -
Re: How to secure the Internet in three easy steps
On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote: > > Sean, > > At Home's policy was that servers were administratively forbidden. It > ran proactive port scans to detect them (which of course were subject to > firewall ACLs) and actioned them under a complex and changing rule set. > It frequently left enforcement to the local partner depending on > contractual arrangements. It did not block ports. Non-transparent > proxing was used for http - you could opt out if you knew how. > > While many DSL providers have taken up filtering port 25, the cable > industry practice is mostly to leave ports alone. I know of one large Untrue, AT&T filters the following *on* the CPE: Ports / Direction / Protocol 137-139 -> any Both UDP any -> 137-139 Both UDP 137-139 -> any Both TCP any -> 137-139 Both TCP any -> 1080 Inbound TCP any -> 1080 Inbound UDP 68 -> 67Inbound UDP 67 -> 68Inbound UDP any -> 5000 Inbound TCP any -> 1243 Inbound UDP And they block port 80 inbound TCP further out in their network. Overall, cable providers more heavily than cable providers. I'd say that AT&T represents a fair amount of the people served via cable internet. > > Regards, > > Eric Carroll -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
RE: How to secure the Internet in three easy steps
Sean, At Home's policy was that servers were administratively forbidden. It ran proactive port scans to detect them (which of course were subject to firewall ACLs) and actioned them under a complex and changing rule set. It frequently left enforcement to the local partner depending on contractual arrangements. It did not block ports. Non-transparent proxing was used for http - you could opt out if you knew how. While many DSL providers have taken up filtering port 25, the cable industry practice is mostly to leave ports alone. I know of one large cable company that did the right thing and implemented SMTP authentication for their mail service. The world would be a different place if client to server mail submission was done in an authenticated manner consistently across the Internet. Its amazing how many ISPs don't implement this best practice. Regards, Eric Carroll -Original Message- From: [EMAIL PROTECTED] [mailto:owner-nanog@;merit.edu] On Behalf Of Sean Donelan Sent: October 25, 2002 5:36 PM To: Paul Vixie Cc: [EMAIL PROTECTED] Subject: Re: How to secure the Internet in three easy steps On Fri, 25 Oct 2002, Paul Vixie wrote: > > Not only that, but unless _everyone_ implements 2 and/or 3, all the > > bad people that exploit the things these are meant to protect will > > migrate to the networks that lack these measures, mitigating the > > benefits. > > not just the bad people. all the people. a network with 2 or 3 in > place is useless. there is no way to make 2 or 3 happen. AOL? I believe they proxy almost all their subscribers through several large datacenters, and don't allow users to run their own servers. @Home prohibited customer servers on their network, blocked several ports, and proxied several services. Its common for ISPs outside of the US to force their customers to use the ISP's web proxy server, even hijacking connections which attempt to bypass it. As part of their anti-spam efforts, several providers block SMTP port 25, and force their subscribers to only use that provider's SMTP relay/proxy to send mail. Why not extend those same restrictions to other (all) protocols? Many corporate networks already proxy all their user's traffic, and prohibit direct connections through the corporate firewalls. I think its a bad idea, but techincally I have a hard time saying its technically impossible.
Re: How to secure the Internet in three easy steps
> Source address validation, or more generally anti-spoofing filters, do > not require providers maintain logs, perform content inspection or > install firewalls. But source address validation won't stop attacks, > viruses, child porn, terrorists, gambling, music sharing or any other > evil that exists in the world. So the proposal "1" gets extended to > include other stuff. It gives better ROI when more than SAV is included. i can see how this could happen. however, i do not think that it is the reason why SAV is not gettign deployed.
Re: How to secure the Internet in three easy steps
On Fri, 25 Oct 2002, Paul Vixie wrote: > money. this whole thing is really about money. but "1" isn't getting > done because the money that could be saved is by ISP "B" whereas the > money which must be spent is by ISP "A". so, the nondeployment of BCP38 > is all about money, too. As the other Sean (Doran) likes to say, write a check. But that is too simplistic. It presumes only B saves money and only A spends money. On any particular day either A or B may be losing money due to attacks. I suspect on most days, both A and B are losing money. Money is probably 4 or 5 on the list of reasons why source address validation doesn't get implemented. > the thing i'm trying to work my way back to is that "2" and "3" can be > argued to restrict desireable freedoms (like reaching SMTP or WWW servers > without being forced to use a local proxies) whereas "1" has no arguments > against it, or at least no arguers here on nanog today. why lump them > all three together? Source address validation, or more generally anti-spoofing filters, do not require providers maintain logs, perform content inspection or install firewalls. But source address validation won't stop attacks, viruses, child porn, terrorists, gambling, music sharing or any other evil that exists in the world. So the proposal "1" gets extended to include other stuff. It gives better ROI when more than SAV is included. "1" is install provider managed firewalls to perform a. validate source addresses b. perform virus checking c. maintain forensic logs d. other "policy enforcement" to be determined e. anything else someone can think of What worries me is "scope creep." All sorts of stuff is getting thrown into the security pot.
Re: How to secure the Internet in three easy steps
"batz" == batz <[EMAIL PROTECTED]> writes: batz> Assuming you are referring to "securing" as the balance of the batz> holy triuvirate of Confidentiality, Integrity and Availability, batz> there are other options than the modest proposals you made. batz> The ISP doesn't have to manage the firewall, but like I said batz> earlier, if they provided a configurable filter in the form of a batz> web interface to altering access-lists applied to the customers batz> connection, this would solve most problems. Just to make sure I understand what you are suggesting, you are saying that the solution to most of the Internet's security problems is for ISPs to set up webservers with applications running on them that allow customers to alter the ACLs on the ISP's routers for the interfaces that have that customer's connections? I must be misreading that somehow. ;-) IMHO, Michael
Re: How to secure the Internet in three easy steps
> > not just the bad people. all the people. a network with 2 or 3 in place > > is useless. there is no way to make 2 or 3 happen. > As part of their anti-spam efforts, several providers block SMTP port > 25, and force their subscribers to only use that provider's SMTP > relay/proxy to send mail. Why not extend those same restrictions to > other (all) protocols? each protocol that becomes as widely abused as smtp has been, will be blocked, since blocking will save the ISP money. you also mentioned proxying of web traffic, which due to banner ads often makes the ISP money. this whole thing is really about money. but "1" isn't getting done because the money that could be saved is by ISP "B" whereas the money which must be spent is by ISP "A". so, the nondeployment of BCP38 is all about money, too. the thing i'm trying to work my way back to is that "2" and "3" can be argued to restrict desireable freedoms (like reaching SMTP or WWW servers without being forced to use a local proxies) whereas "1" has no arguments against it, or at least no arguers here on nanog today. why lump them all three together? PS. you mentioned AOL, which uses IP framing in order to leverage off of the IP stack already present in their customer's computers, but other than that it's a captive application. what addresses are used doesn't really matter there in any global sense, nor proxies or nats or whatever.
Re: How to secure the Internet in three easy steps
On Fri, 25 Oct 2002, Sean Donelan wrote: :Many corporate networks already proxy all their user's traffic, and :prohibit direct connections through the corporate firewalls. : :I think its a bad idea, but techincally I have a hard time saying its :technically impossible. Well, it is also technically possible to have users register using biometrics to access the Internet and that still seems sci-fi distopian enough that I'm not losing sleep over it yet. There are definitely service class distinctions between a local DSL provider and a cable provider, and provided that american competition laws stave off the converged telcos running the local providers out of business, there is still hope. It may be all retro to dredge up the dreaded road metaphor, but these cable services are really similar to suburbs. They are homogeneous areas built to serve a set of residential consumers with a limited, though uniform definition. To get to the "core" they require the use of a proprietary device or proxy to mediate their interactions with the rest of civil society. People pay a premium to be closer to the core and do so because of a vaguely articulated but strongly felt sense of "quality". The whole metaphor is irritating, but from a market perspective the economics are similar. A vast majority of people will give up the subtle quality of a real connection, for a cheaper version that serves their relatively limited needs. Since the largest market will be made of up people with these lower expectations, the only way to make money will be to serve them. It makes services closer to the core more scarce, and thus more expensive to maintain, and it will eventually only be populated by businesses that can afford the premium, and people that don't pay at all and have nowhere else to go. The Internet is starting to look alot like Minneapolis-St. Paul. -- batz
Re: How to secure the Internet in three easy steps
Actually, I'm not certain but athome didn't seem to proxy or block anything. I ran my home linux box off at home for a while and never had any problem with any ports including http and mail. Also, it seems to me that I tried something similar for a goof with an aol dialup and it worked as well. On Fri, 25 Oct 2002, Sean Donelan wrote: > > On Fri, 25 Oct 2002, Paul Vixie wrote: > > > Not only that, but unless _everyone_ implements 2 and/or 3, all the bad > > > people that exploit the things these are meant to protect will migrate to > > > the networks that lack these measures, mitigating the benefits. > > > > not just the bad people. all the people. a network with 2 or 3 in place > > is useless. there is no way to make 2 or 3 happen. > > AOL? I believe they proxy almost all their subscribers through several > large datacenters, and don't allow users to run their own servers. > > @Home prohibited customer servers on their network, blocked several > ports, and proxied several services. > > Its common for ISPs outside of the US to force their customers to > use the ISP's web proxy server, even hijacking connections which attempt > to bypass it. > > As part of their anti-spam efforts, several providers block SMTP port 25, > and force their subscribers to only use that provider's SMTP relay/proxy > to send mail. Why not extend those same restrictions to other (all) > protocols? > > Many corporate networks already proxy all their user's traffic, and > prohibit direct connections through the corporate firewalls. > > I think its a bad idea, but techincally I have a hard time saying its > technically impossible. > >
Re: How to secure the Internet in three easy steps
On Fri, 25 Oct 2002, Paul Vixie wrote: > > Not only that, but unless _everyone_ implements 2 and/or 3, all the bad > > people that exploit the things these are meant to protect will migrate to > > the networks that lack these measures, mitigating the benefits. > > not just the bad people. all the people. a network with 2 or 3 in place > is useless. there is no way to make 2 or 3 happen. AOL? I believe they proxy almost all their subscribers through several large datacenters, and don't allow users to run their own servers. @Home prohibited customer servers on their network, blocked several ports, and proxied several services. Its common for ISPs outside of the US to force their customers to use the ISP's web proxy server, even hijacking connections which attempt to bypass it. As part of their anti-spam efforts, several providers block SMTP port 25, and force their subscribers to only use that provider's SMTP relay/proxy to send mail. Why not extend those same restrictions to other (all) protocols? Many corporate networks already proxy all their user's traffic, and prohibit direct connections through the corporate firewalls. I think its a bad idea, but techincally I have a hard time saying its technically impossible.
Re: How to secure the Internet in three easy steps
On Fri, 25 Oct 2002, Sean Donelan wrote: :Assuming no time, money, people, etc resource constraints; securing the :Internet is pretty simple. Assuming you are referring to "securing" as the balance of the holy triuvirate of Confidentiality, Integrity and Availability, there are other options than the modest proposals you made. The ISP doesn't have to manage the firewall, but like I said earlier, if they provided a configurable filter in the form of a web interface to altering access-lists applied to the customers connection, this would solve most problems. It's not so much a question of what needs to be done, the technical solutions are always the easy part. It is a question of who needs to do it. - If OS vendors didn't ship their products with all those services open, we wouldn't need to protect users with default firewall policies. - If all users suddenly had an epiphany and could go to M$.com and click one link to lock down their home machines, M$ could keep shipping their consumer-grade hacker-bait to soccer moms and children. Maybe they can use their monopoly for something constructive for a change. - If the government said that a cyberattack was emminent and launched a WWII style propaganda campaign along the lines of "loose lips sink ships" maybe people might catch on. This might sound silly, but it worked for Y2k. So, modest proposals for draconian feature enhancements and creating arbitrary consumer and provider class users, are thankfully still funny. -- batz
Re: How to secure the Internet in three easy steps
> This seems to be a catch-22; no one will implement these for the good of the > net because it costs money, and ignorant competitors that don't implement > them will not share in that expense. Have any such ideas been implemented > in the modern internet? How? > Not to mention that 2 or 3 wouldn´t do any good for the net. There are private ALG-based networks where you get to pay your premiums for your bits, if you need that functionality, there is no reason to break the internet, you just subscribe to your local X.400 service for email, etc. Pete
Re: How to secure the Internet in three easy steps
> Not only that, but unless _everyone_ implements 2 and/or 3, all the bad > people that exploit the things these are meant to protect will migrate to > the networks that lack these measures, mitigating the benefits. not just the bad people. all the people. a network with 2 or 3 in place is useless. there is no way to make 2 or 3 happen. > This seems to be a catch-22; no one will implement these for the good > of the net because it costs money, and ignorant competitors that don't > implement them will not share in that expense. Have any such ideas > been implemented in the modern internet? How? neither 2 or 3 would be for the good of the net. 1 would be. the problem with 1 is that the person who feels pain when ISP "A" doesn't do 1 is most likely to be ISP "B". therefore people confuse 1 with "internet altruism" rather than the "rational selfishness" that it is.
Re: How to secure the Internet in three easy steps
"Sameer R. Manek" wrote: > > Paul Vixie wrote: > > Sean Donelan wrote: > > > I didn't make any of these up. They've all been proposed by serious, > > > well-meaning people. > > > > i recommend caution with your choice of words. apparently not everyone > > treats "well meaning" as the compliement that it is. > > I forget what they paved the road to hell with Good intentions. -- Only the mediocre are always at their best. Jean Giraudoux
Re: How to secure the Internet in three easy steps
> i don't believe that 2 or 3 will ever happen, for simple market reasons -- > it is harder to make money if you do 2 or 3. however, 1 only costs a small > bit of ops expense, and has no market impact at all, so it's practical in > simple economic terms. Not only that, but unless _everyone_ implements 2 and/or 3, all the bad people that exploit the things these are meant to protect will migrate to the networks that lack these measures, mitigating the benefits. This seems to be a catch-22; no one will implement these for the good of the net because it costs money, and ignorant competitors that don't implement them will not share in that expense. Have any such ideas been implemented in the modern internet? How?
RE: How to secure the Internet in three easy steps
> -Original Message- > From: [EMAIL PROTECTED] [mailto:owner-nanog@;merit.edu]On Behalf Of > Paul Vixie > Sent: Friday, October 25, 2002 12:39 PM > > > > i can see how the end to end principle applies in cases 2 and > 3, but not 1. > > > > I didn't make any of these up. They've all been proposed by serious, > > well-meaning people. > > i recommend caution with your choice of words. apparently not everyone > treats "well meaning" as the compliement that it is. I forget what they paved the road to hell with Sameer
Re: How to secure the Internet in three easy steps
> > > 1. Require all providers install and manage firewalls on all subscriber > > > connections enforcing source address validation. > > > > i can see how the end to end principle applies in cases 2 and 3, but not 1. > > I didn't make any of these up. They've all been proposed by serious, > well-meaning people. i recommend caution with your choice of words. apparently not everyone treats "well meaning" as the compliement that it is. > If you have 2 and 3, why do you need to waste global addresses on 1. i don't believe that 2 or 3 will ever happen, for simple market reasons -- it is harder to make money if you do 2 or 3. however, 1 only costs a small bit of ops expense, and has no market impact at all, so it's practical in simple economic terms. > Its a mis-understanding of what source address validation is. Some folks > think it should work like ANI, where the telephone company writes the > "correct" number on the call at the switch. ouch. i guess you're right. perhaps a copy of BCP38 should come with every router sold?
Re: How to secure the Internet in three easy steps
On 25 Oct 2002, Paul Vixie wrote: > > 1. Require all providers install and manage firewalls on all subscriber > > connections enforcing source address validation. > > i can see how the end to end principle applies in cases 2 and 3, but not 1. I didn't make any of these up. They've all been proposed by serious, well-meaning people. If you have 2 and 3, why do you need to waste global addresses on 1. So the NSP managed "firewall" device is really a super-NAT device, which some well-meaning people believe NAT improves security becauses users won't be able to set the outbound addresses themselves. The firewall will rewrite the user's hidden internal address with the firewall's registered address. Its a mis-understanding of what source address validation is. Some folks think it should work like ANI, where the telephone company writes the "correct" number on the call at the switch.
Re: How to secure the Internet in three easy steps
> Assuming no time, money, people, etc resource constraints; securing the > Internet is pretty simple. > > 1. Require all providers install and manage firewalls on all subscriber > connections enforcing source address validation. > > 2. Prohibit subscribers from running services on their own machines. Only > approved provider managed servers should provide services to users. > > 3. Prohibit direct subscriber-to-subscriber communication, except through > approved NSP protocol gateways. Only approved NSP-to-NSP proxied traffic > should be exchanged between network providers. > > Are there some down-sides? Sure. But who really needs the end-to-end > principle or uncontrolled innovation. i can see how the end to end principle applies in cases 2 and 3, but not 1. -- Paul Vixie
Re: How to secure the Internet in three easy steps
At 13:14 -0400 10/25/02, Sean Donelan wrote: Are there some down-sides? Sure. But who really needs the end-to-end principle or uncontrolled innovation. The context of the above is, of course, sarcastic. But it reminded me of a quote that once appeared on mailing list that is germane to this. The quote was uttered in 1824 or so, by the inventor of the telegraph. The quote lamented that the funding needed to deploy an innovative concept was held by the folks that were the most threatened by innovation - i.e., they made money with out the latest new fangled thing so whatever the new fangled thing did, it was sure to be a threat to their current income stream. Does anyone know this quote? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-703-227-9854 ARIN Research Engineer