nanog mailing list archives
Re: Whitehouse Tackels Cybersecurity
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Sat, 21 Sep 2002 00:36:27 +0200 (CEST)
On Wed, 18 Sep 2002, Sean Donelan wrote:
I would love to see some proposals from different ISPs how they view the Internet (or ISP) security architecture. Cisco, Sun, Lucent and Telcordia have vendor architectures. But what architecture work for real ISPs? What can we point to as a "good" Internet security architecture? Is there a difference between what works for a small, medium or large ISP?
What exactly to do mean by "security architecture"? Many network security efforts seem to be inspired by Descartes. Several centuries ago, this very smart man sat down in front of the fire several nights in a row and started doubting everything he could possibly doubt. Senses, memory, everything. After all, everything that seems real may in fact be an illusion created by a "malicious demon". (No, he wasn't talking about a worm or trojan.) I'm not sure what his conclusion which can be simplified as "I think, therefore I am", would translate to. Maybe "I encrypt, therefore I am secure"? Anyway, in our efforts to see security weaknesses everywhere, we might be going too far. For instance, nearly all our current protocols are completely vulnerable to a man-in-the-middle attack. If someone digs up a fiber, intercepts packets and changes the content before letting them continue to their destination, maybe the layer 1 guys will notice, but not any of us IP people. So what should we do? It seems each and every protocol is now trying to solve the exact same problem. A better solution would be to adopt IPSec throughout the net. But that doesn't protect you from a denial of service attack: the man in the middle can just discard your packets. Even worse, if you have to do crypto for every packet you receive, an attacker can simply send packets that only turn out invalid after performing expensive cryptographic operations and have you burn CPU cycles like it's going out of style. What we need are realistic expectations. Yes, the internet is vulnerable to some degree, but the risks are nothing to worry about relative to eating food that strangers have prepared or driving at high speed between many bad-tempered people who are all armed with a ton of steel. For regular day-to-day stuff such as off-topic rants and downloading copyrighted material, the vulnerabilities that exist aren't really an issue: the expense and effort to break into a _network_ (rather than just some box connected to it) is not worth the gain. And for things that are more sensitive: refer to the end-to-end principle. SSL isn't perfect, but it's widely available. IPSec is more perfect, but less available. They'll both run fine over the current network. However, that doesn't mean we can lean back do nothing. Some protocols are really too insecure. Please be assured that these problems have the attention of the IETF. Everyone should feel free to donate time to help develop newer, more secure protocols or newer, more secure versions of old ones. In the mean time, many people are still doing things they shouldn't, and not doing things they should. If properly implemented, it is very hard to break BGP. But that means everyone has to use antispoofing packet filters, have strict filtering on the routes they accept from their customers and preferably on those they accept from their peers as well, and use TCP MD5 password protection on all BGP sessions. That's something we can all do before the month is out and it will actually make the net more secure without breaking anything. Iljitsch van Beijnum
Current thread:
- Re: Whitehouse Tackels Cybersecurity, (continued)
- Re: Whitehouse Tackels Cybersecurity Eric A. Hall (Sep 18)
- More Thoughts on White House Cybersecurity Draft Richard Forno (Sep 18)
- Re: Whitehouse Tackels Cybersecurity Steven M. Bellovin (Sep 18)
- Re: Whitehouse Tackels Cybersecurity Iljitsch van Beijnum (Sep 18)
- Re: Whitehouse Tackels Cybersecurity Jared Mauch (Sep 18)
- Re: Whitehouse Tackels Cybersecurity Iljitsch van Beijnum (Sep 18)
- Re: Whitehouse Tackels Cybersecurity Sean Donelan (Sep 18)
- Re: Whitehouse Tackels Cybersecurity batz (Sep 19)
- Re: Whitehouse Tackels Cybersecurity Brad Knowles (Sep 19)
- Re: Whitehouse Tackels Cybersecurity Sean Donelan (Sep 19)
- Re: Whitehouse Tackels Cybersecurity Iljitsch van Beijnum (Sep 18)
- Re: Whitehouse Tackels Cybersecurity Iljitsch van Beijnum (Sep 20)
- Wireless insecurity at NANOG meetings Sean Donelan (Sep 21)
- Re: Wireless insecurity at NANOG meetings Randy Bush (Sep 21)
- Re: Wireless insecurity at NANOG meetings Richard A Steenbergen (Sep 21)
- Re: Wireless insecurity at NANOG meetings Iljitsch van Beijnum (Sep 22)
- Re: Wireless insecurity at NANOG meetings Richard A Steenbergen (Sep 22)
- Re: Wireless insecurity at NANOG meetings Iljitsch van Beijnum (Sep 22)
- Re: Wireless insecurity at NANOG meetings Kevin Steves (Sep 22)
- Re: Wireless insecurity at NANOG meetings Joel Jaeggli (Sep 23)
- Re: Wireless insecurity at NANOG meetings Randy Bush (Sep 22)
- Re: Wireless insecurity at NANOG meetings Sean Donelan (Sep 22)