[Dshield] Possible solution for ISP (was DShield's public goals)
dshield at oitc.com
Wed Jan 18 23:30:53 GMT 2006
I don't want to get to flame wars and in fact I like fixed IPs so
that abuse and management of that abuse can be easily identified.
Nontheless I was trying (maybe not clearly) to communicate that I
believe dialups are, in general, a special case since dialups where
where Valdis kept harping on cost margins not allowing any support
(an assertion which I totally disagree with as does the financials of
Time Warner's AOL unit support).
I have never dealt as in networking as part of a huge ISP but I have
created and very supported large worldwide networks where port policy
is all wrapped into the entire security envelope.
It is funny that you call out "spirit of the Tao of the IETF" as
calling for "end-to-end" openess. How many companies or SANS/DShield
for that matter have totally open networks to the outside world -
they don't. They invoke policy on port access.
At 10:56 PM +0000 1/18/06, Fergie wrote:
>Valdis is right -- and in my own humble opinion, limiting users
>based on the _assumption_ that they should only need 'x', 'y' and
>'z' ports is selling them a limited service, opening up a sewer of
>support issues for future tech support nightmares, and both a
>short-sighted technical and business plan.
>I say this having worked virtually all sides of this equation. ;-)
>And in the spirit of the Tao of the IETF, it violates the end-to-end
>principle is oh-so-many ways.
>As we say in the engineering architecture business, push the protection
>somewhere else in the architecture -- to the perimeter of the network
>(for whatever your definition of network is). THAT's where policy
>should be enforced, not on customer-facing links (again, depending
>on your defination of policy).
>-- Valdis.Kletnieks at vt.edu wrote:
>On Wed, 18 Jan 2006 16:24:24 EST, Tom said:
>> Why should Joe User (the know-nothing dialup guy that Valdis
>> constantly wants to focus on) be given access to any port other than,
>> for example, SMTP (to his isps mailserver only) HTTP, POP, IMAP and
>> HTTPS? Joe User doesn't even know how to use FTP much less SSH or
>> anything else. If Joe User wasn't given the same access privileges
>> that a sophisticated user is given, the whole problem would be self
>Tell you what. Limit it to those ports, and explain to Joe Sixpack
>why streaming video isn't working. Or why he can't talk to his buddies
>on AIM. Or why...
>The fact that Joe User doesn't know what a given port is for doesn't mean
>that the stuff on his system doesn't know.....
>"Fergie", a.k.a. Paul Ferguson
> Engineering Architecture for the Internet
> fergdawg at netzero.net or fergdawg at sbcglobal.net
> ferg's tech blog: http://fergdawg.blogspot.com/
>Learn about Intrusion Detection in Depth from the comfort of your own couch:
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see:
Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax),
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw at mac.com
More information about the list