Assuming no time, money, people, etc resource constraints; securing the
Internet is pretty simple.
1. Require all providers install and manage firewalls on all subscriber
connections enforcing source address validation.
2. Prohibit subscribers from running services on their own machines. Only
a
At 13:14 -0400 10/25/02, Sean Donelan wrote:
Are there some down-sides? Sure. But who really needs the end-to-end
principle or uncontrolled innovation.
The context of the above is, of course, sarcastic. But it reminded
me of a quote that once appeared on mailing list that is germane to
this
> Assuming no time, money, people, etc resource constraints; securing the
> Internet is pretty simple.
>
> 1. Require all providers install and manage firewalls on all subscriber
> connections enforcing source address validation.
>
> 2. Prohibit subscribers from running services on their own mac
On 25 Oct 2002, Paul Vixie wrote:
> > 1. Require all providers install and manage firewalls on all subscriber
> > connections enforcing source address validation.
>
> i can see how the end to end principle applies in cases 2 and 3, but not 1.
I didn't make any of these up. They've all been propo
> > > 1. Require all providers install and manage firewalls on all subscriber
> > > connections enforcing source address validation.
> >
> > i can see how the end to end principle applies in cases 2 and 3, but not 1.
>
> I didn't make any of these up. They've all been proposed by serious,
> well
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:owner-nanog@;merit.edu]On Behalf Of
> Paul Vixie
> Sent: Friday, October 25, 2002 12:39 PM
>
> > > i can see how the end to end principle applies in cases 2 and
> 3, but not 1.
> >
> > I didn't make any of these up. They've all been
> i don't believe that 2 or 3 will ever happen, for simple market reasons --
> it is harder to make money if you do 2 or 3. however, 1 only costs a
small
> bit of ops expense, and has no market impact at all, so it's practical in
> simple economic terms.
Not only that, but unless _everyone_ impl
"Sameer R. Manek" wrote:
>
> Paul Vixie wrote:
> > Sean Donelan wrote:
> > > I didn't make any of these up. They've all been proposed by serious,
> > > well-meaning people.
> >
> > i recommend caution with your choice of words. apparently not everyone
> > treats "well meaning" as the compliem
> Not only that, but unless _everyone_ implements 2 and/or 3, all the bad
> people that exploit the things these are meant to protect will migrate to
> the networks that lack these measures, mitigating the benefits.
not just the bad people. all the people. a network with 2 or 3 in place
is usel
> This seems to be a catch-22; no one will implement these for the good of the
> net because it costs money, and ignorant competitors that don't implement
> them will not share in that expense. Have any such ideas been implemented
> in the modern internet? How?
>
Not to mention that 2 or 3 woul
On Fri, 25 Oct 2002, Sean Donelan wrote:
:Assuming no time, money, people, etc resource constraints; securing the
:Internet is pretty simple.
Assuming you are referring to "securing" as the balance of the holy
triuvirate of Confidentiality, Integrity and Availability, there
are other options th
On Fri, 25 Oct 2002, Paul Vixie wrote:
> > Not only that, but unless _everyone_ implements 2 and/or 3, all the bad
> > people that exploit the things these are meant to protect will migrate to
> > the networks that lack these measures, mitigating the benefits.
>
> not just the bad people. all the
Actually, I'm not certain but athome didn't seem to proxy or block
anything. I ran my home linux box off at home for a while and never had
any problem with any ports including http and mail. Also, it seems to me
that I tried something similar for a goof with an aol dialup and it worked
as well.
On Fri, 25 Oct 2002, Sean Donelan wrote:
:Many corporate networks already proxy all their user's traffic, and
:prohibit direct connections through the corporate firewalls.
:
:I think its a bad idea, but techincally I have a hard time saying its
:technically impossible.
Well, it is also technical
> > not just the bad people. all the people. a network with 2 or 3 in place
> > is useless. there is no way to make 2 or 3 happen.
> As part of their anti-spam efforts, several providers block SMTP port
> 25, and force their subscribers to only use that provider's SMTP
> relay/proxy to send ma
"batz" == batz <[EMAIL PROTECTED]> writes:
batz> Assuming you are referring to "securing" as the balance of the
batz> holy triuvirate of Confidentiality, Integrity and Availability,
batz> there are other options than the modest proposals you made.
batz> The ISP doesn't have to manage the firew
On Fri, 25 Oct 2002, Paul Vixie wrote:
> money. this whole thing is really about money. but "1" isn't getting
> done because the money that could be saved is by ISP "B" whereas the
> money which must be spent is by ISP "A". so, the nondeployment of BCP38
> is all about money, too.
As the other
> Source address validation, or more generally anti-spoofing filters, do
> not require providers maintain logs, perform content inspection or
> install firewalls. But source address validation won't stop attacks,
> viruses, child porn, terrorists, gambling, music sharing or any other
> evil that e
ic Carroll
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-nanog@;merit.edu] On Behalf Of
Sean Donelan
Sent: October 25, 2002 5:36 PM
To: Paul Vixie
Cc: [EMAIL PROTECTED]
Subject: Re: How to secure the Internet in three easy steps
On Fri, 25 Oct 2002, Paul Vixie wrote:
> > Not only
On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote:
>
> Sean,
>
> At Home's policy was that servers were administratively forbidden. It
> ran proactive port scans to detect them (which of course were subject to
> firewall ACLs) and actioned them under a complex and changing rule set
Not really
On Sun, 27 Oct 2002, Matthew S. Hallacy wrote:
>
> On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote:
> >
> > Sean,
> >
> > At Home's policy was that servers were administratively forbidden. It
> > ran proactive port scans to detect them (which of course were subject
actually with the merger of At&t and comcast most cable inet customers
will be through them.
Joseph Barnhart wrote:
Not really
On Sun, 27 Oct 2002, Matthew S. Hallacy wrote:
On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote:
Sean,
At Home's policy was that servers were admin
On Sun, Oct 27, 2002 at 07:42:10PM -0600, Matthew S. Hallacy wrote:
>
> And they block port 80 inbound TCP further out in their network. Overall,
> cable providers more heavily than cable providers.
^-- s/cable/DSL/;
--
Matthew S. Hallacy
" <[EMAIL PROTECTED]>
To: "Matthew S. Hallacy" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Sunday, October 27, 2002 8:46 PM
Subject: Re: How to secure the Internet in three easy steps
>
> Not really
>
> On Sun, 27 Oct 2002, Matthew S. Hallacy wrote:
>
At 09:03 PM 10/27/2002 -0500, William Warren wrote:
actually with the merger of At&t and comcast most cable inet customers
will be through them.
Until that happens however:
In a public press release dated August, they claim to have 1.8 million
Internet customers. How that compares to the glob
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:owner-nanog@;merit.edu] On
> Behalf Of Christopher Schulte
> Sent: October 27, 2002 9:22 PM
> To: William Warren; [EMAIL PROTECTED]
> Subject: Re: How to secure the Internet in three easy steps
>
> In a pu
> > In a public press release dated August, they claim to have
> > 1.8 million Internet customers. How that compares to the
> > global pool of cable users, I cannot say.
>
> One cable company I've done business here (Ontario, Canada) has over
> 500K subscribers, and I don't believe it has the
Wow! They just don't count subscribers:).
I realize one way makes more sense from a "we've got more subscribers than
you do sense" but it wouldn't be that hard to count real subscribers one
wouldn't think.
On Mon, 28 Oct 2002 [EMAIL PROTECTED] wrote:
>
> > > In a public press release dated Au
On Mon, 28 Oct 2002 11:05:44 EST, [EMAIL PROTECTED] said:
> They take a total revenue that's somehow gets associated with selling cable
> and divide it by the price of the basic cable. The resulting number is the
> number of subscribers that they claim to have.
This of course is perfectly fine, a
-
> From: "Joseph Barnhart" <[EMAIL PROTECTED]>
> To: "Matthew S. Hallacy" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Sunday, October 27, 2002 8:46 PM
> Subject: Re: How to secure the Internet in three easy steps
>
>
> >
&
30 matches
Mail list logo
