Re: IAB concerns against permanent deployment of edge-based filtering

[Leo Bicknell <bicknell () ufp org>]

In a message written on Sat, Oct 18, 2003 at 12:26:21PM -0400, Eric Gauthier wrote:
> Again, I definitely agree with the IAB's recommendation.  However, its 
> difficult to defend this point of view in practice since most of the 
> equipment does basic packet filtering in hardware or with minimal cost to 
> peformance.  So, I just can't figure out how to sit in front of our 
> administration and justify the replacement of a zero-cost solution with 
> the cost of added staff and equipment to mitigate these security risks, 
> especially when the up side is just not "limiting the potential for 
> deployment of future applications".

Well, but you've hit the nail on the head.  The fitler solution is
_NOT_ zero cost, it is deferred cost.  I suggest you phrase it that
way.  It's a way of deferring the cost to later, with interest.
The longer you use it, the higher that interest payment will be,
in the form of new and different attacks you can't block.

Phrasing it to the bean counters that it is deferring the cost,
with interest, and suggesting that simultaneously some money be
spent on user education, better software, or whatever is appropriate
to insure you don't have a "huge baloon payment" later might help
put it in terms they can understand.

Similar parallels can be drawn to antibiotics -- the over use will
eventually render them ineffective.  It's a very similar situation,
and sometimes you have to just invest in not getting sick in the
first place (wash your hands...patch your system).

-- 
       Leo Bicknell - bicknell () ufp org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - tmbg-list-request () tmbg org, www.tmbg.org

Attachment: _bin
Description: