[Dshield] The internet -- testing platform, or production environment?

Lauro, John jlauro at umflint.edu
Wed Oct 30 04:43:35 GMT 2002


> 2.  Is it an academic right to do what you want on the roads?
> 
> Is it academic freedom to be able to test theoretical or test-built
> automobile braking systems on freeways?
> 
> I think you'll find most engineers, unless they want to argue the
> semantics of the wording, will agree that public safety comes first.
> 
> Well, in my opinion, the internet is like the public roads.

It is the individual that uses or abuses the car on the road.  It is
not the job of the site where you leave from or arrive at to police
the behavior on the roads to get from one location to another.  What
is needed is better router<-->router policing on the backbone sites
(which academia is improving and researching with various distributed
flow modeling for DDOS auto detection and tracking, IPv6, etc)...


> Few addresses are firewalled compared with what should be.  Also,
I'm
> including egress filtering in this.  IMO it should be mandatory that
> egress filtering be applied that retail customers connections be
subject
> to egress filters that at least ensure their source IPs in their
packets
> are from somewhere on their ISP.

I agree 100% that egress filters should be law...  I suspect that this
is a larger problem from ISPs and small companies, and that most
academic institutions of a reasonable size at least do egress filters
already even if not a firewall.  


> You run unit tests and system using the real internet?
> 
> This is why we need rules-of-the-road with the force of law.  If it
isn't
> illegal it is okay in the minds of many people.
> 
Besides for the RFCs already concerning IP/TCP/UDP/etc, and egress
filters, what *rules* would you suggest be enforced?

> I can see using the internet to run user acceptance tests, and beta
tests
> obviously, but not unit, integration, and system tests.
> 
> We get new skid-proof steering systems from auto-makers.  The auto
> companies do not develop them by doing their initial and development
> testing on our freeways.

Unless things have changed in the last 10 years, the auto companies do
test prototypes on our freeways.  

I still don't see what your opposition to initial testing on the
internet is, if the application obeys all the rules?  The testing of
applications have no bearing on security, besides how open/closed
firewalls (if any) are configured.


> In production, you need a safe environment for the sites connecting
to
> you. I have to rely on their service suppliers to do what our
highway
> departments do in the physical world -- attempt to make the service
they
> provide as safe as possible.
> 
> Would your campus physical facilities department let the engineers
build
> test pot holes in the road?

Good idea.  There could be good reasons for that, especially for
testing for the auto industry.  You would not build it on the freeway,
but on a road that is somehow connected to the freeway.  If you could
not get to the test road, what good would it be?


> > If your real goal is to get junk packets and hackers off the net,
then
> > firewalls might not be your best bet anyways.  Your time might be
> > better spent recommending passive IDS.  It may not instantly block
the
> > abusers, but it also does not go so sharply against academic
freedom.
> 
> It wouldn't stop intrusions but it might be better because it
wouldn't go
> against so-called academic freedom.  ;)

Assuming that systems are kept current, they shouldn't be able to
intrude...  and the IDS will log the attempts, so you can take
appropriate actions toward the individual.  If serious enough
penalties are given to those attempting to intrude, it will be a
deterrent to others.

> Huh?  Not if it is a good firewall.  In fact a lot of times they
don't
> even know their is a network behind it.  It all depends on how the
> firewall is configured.

I was referring to a firewall protecting the world from your users,
assuming you don't block the entire internet from your users which is
not acceptable for many.

> > Here is one option...  assuming you know he is in...
> > Unplug the network cable....  :)
> 
> So I want to be safe on the public highways, and you say I should
keep my
> car in the driveway?

If a hacker is in your system (and you know it), then you know the
system is not working correctly.  So, yes if you have a flat, or
engine trouble, or you car is smoking, then leave it in the driveway
until you get it fixed!




More information about the list mailing list