nanog mailing list archives
Re: Maformed SNMP Packet log/trace
From: Eric Brandwine <ericb () UU NET>
Date: 27 Feb 2002 03:44:04 +0000
"sd" == Sean Donelan <sean () donelan com> writes:
sd> On Tue, 26 Feb 2002, Richard A Steenbergen wrote:
A lot of those protocols have people looking at them on a regular basis, and they still manage to come up with obscure exploits noone else noticed (ex: 23mb of buffer overflows to exploit telnetd).
sd> So what is the solution for a public network operator. I attended sd> a presentation last week where a Checkpoint reseller suggested the sd> client needed to buy eight Checkpoint firewalls to protect a sd> single web server. I was impressed, what about the undercoating sd> and scotchguard fabric protector. That's actually a possibility, soon as they support OC-192 interfaces ;) Stay away from the undercoating, but the ScotchGuard(tm) is definitely worth it! sd> Is it time to fall back in punt? How would you architect a backbone if sd> you could do it over? Security is not about making things foolproof. They'll always be able to break you, no matter what you do. Security is about assuming acceptable risk, and mitigating unacceptable risk. This whole recent mess has actually gone over fairly cleanly. The vast majority of public infrastructure seems to have been patched with a fair amount of speed, and nobody's noticed any serious outages due to it. Apparently, the risk we assumed was acceptable, and when it became unacceptable, it was mitigated quickly enough. If I could do it over? I'd get in my Tardis, and go back to 1969. I'd teach everyone at DARPA how to spell security. Loose source route, IP options in general, ICMP address mask requests, all these things should go away. sd> Is the complexity of SSH code worth the protection? Or is it better sd> never to access your routers through VTY ports, and always use an sd> reverse-terminal server to the console from an out-of-band management sd> LAN? Console is slow, logs can easily DoS a 9600 baud line. It only allows one connection. Good fallback point, operationally does not scale. SSH is worth the protection, as reference implementations are available, and it requires very little in the way of system support. As long as in-band access to routers is required, SSH (or HTTPS or IPSec) will be with us. As time passes, the quality of the tools that we have to work with improves, and our trust in them can grow. The official answer is control plane separation. This worked for the PSTN, and it's the way the Internet will go, eventually. ericb -- Eric Brandwine | Things should be as simple as possible, but not simpler. UUNetwork Security | ericb () uu net | +1 703 886 6038 | - Albert Einstein Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E
Current thread:
- Maformed SNMP Packet log/trace Brennan_Murphy (Feb 26)
- Re: Maformed SNMP Packet log/trace Eric Brandwine (Feb 26)
- Re: Maformed SNMP Packet log/trace Sean Donelan (Feb 26)
- Re: Maformed SNMP Packet log/trace Richard A Steenbergen (Feb 26)
- Re: Maformed SNMP Packet log/trace Sean Donelan (Feb 26)
- Re: Maformed SNMP Packet log/trace Eric Brandwine (Feb 26)
- Re: Maformed SNMP Packet log/trace Sean Donelan (Feb 26)
- Re: Maformed SNMP Packet log/trace Paul Vixie (Feb 26)
- Re: Maformed SNMP Packet log/trace Richard A Steenbergen (Feb 27)
- Re: Maformed SNMP Packet log/trace Sean Donelan (Feb 26)
- Re: Maformed SNMP Packet log/trace Eric Brandwine (Feb 26)
- Re: Satellite latency Jeff Mcadams (Feb 26)
- Re: Satellite latency Roy (Feb 26)
- Re: Satellite latency michael (Feb 26)
- Re: Satellite latency Barb Dijker (Feb 26)
- Re: Satellite latency Vadim Antonov (Feb 26)
- Re: Satellite latency Eric Gauthier (Feb 26)