nanog mailing list archives
Re: Customer-facing ACLs
From: Sean Donelan <sean () donelan com>
Date: Mon, 10 Mar 2008 21:52:42 -0400 (EDT)
On Mon, 10 Mar 2008, Scott Weeks wrote:
The default policy is we allow eveything. It takes no explaining.
If you don't bother to explain to the same customers who you believe couldn't figure out how to change the default settings, what the risks and how to protect their computers on the Internet, is it any wonder that normal user's have such a difficult time being safe on the Internet?
I understand the port 25 issue and am reconsidering it for dynamic addresses on outbound traffic, but at least one person on NANOG showed me a use of that. Like network engineers at many other companies, I'm spread so thin that it's hard to find the time to do work like this and I keep putting it on the back burner. VZ had it completely open and I have followed that as we seperated this network from their network, as I can't take on the extra work of fixing brokenness that would result from applying the filter.
Like I said, there is always a default policy whether you know what that policy is or not. You probably end up spending the resources on the front-end or on the back-end. Implementing source address verification can take years, but if you never start, you will never finish. Implementing sanity checks for IP headers can take years, but if you never start, you will never finish. Implementing unsolicited/unwanted traffic controls can take years, but if you never start, you will never finish. Do you think caller-id/call-blocking/harrassing-call-trace were easy, or rather they took years of hard work. Although the technology may change, people seem to stay the same. And people seem to be adept at doing the same stuff with new technology to other people.
Current thread:
- Re: Customer-facing ACLs, (continued)
- Re: Customer-facing ACLs Jon Lewis (Mar 18)
- Re: Customer-facing ACLs Adrian Chadd (Mar 18)
- RE: Customer-facing ACLs Scott Weeks (Mar 07)
- Re: Customer-facing ACLs Justin Shore (Mar 07)
- Re: Customer-facing ACLs Adrian Chadd (Mar 07)
- Re: Customer-facing ACLs Justin Shore (Mar 07)
- RE: Customer-facing ACLs Paul Ferguson (Mar 07)
- Re: Customer-facing ACLs Scott Weeks (Mar 10)
- Re: Customer-facing ACLs Sean Donelan (Mar 10)
- RE: Customer-facing ACLs Frank Bulk - iNAME (Mar 10)
- Re: Customer-facing ACLs Sean Donelan (Mar 10)
- Re: Customer-facing ACLs Scott Weeks (Mar 10)
- Re: Customer-facing ACLs Sean Donelan (Mar 10)
- Customer-facing ACLs Ang Kah Yik (Mar 10)
- Re: Customer-facing ACLs Andy Dills (Mar 10)
- Re: Customer-facing ACLs Ang Kah Yik (Mar 10)
- RE: Customer-facing ACLs Frank Bulk - iNAME (Mar 10)
- Re: Customer-facing ACLs JC Dill (Mar 10)
- Re: Customer-facing ACLs Andy Dills (Mar 10)