nanog mailing list archives

Re: so, how would you justify giving users security?

From: Florian Weimer <fw () deneb enyo de>
Date: Mon, 04 Apr 2005 22:14:12 +0200


* Gadi Evron:

Anyone ever considered just closing these ports? People will pay you 
more and just for your ACL services!


People call me mad because I designed a system which can handle
10,000+ ACL entries with negligible personal overhead (keep in mind
that you cannot give end users direct access to ACL settings because
they don't know what to do).  Some issues I ran into clearly showed
that this was a very, very unusual thing to do.  It still has to be
this way if you look at the number of hoops you have to jump through
if you want to atomically replace an ACL on a Cisco router.

In other words, neither people nor technology are quite ready.

Why is this such a bad idea?


My fear is that most organizations will opt for blocks without
exceptions (or ridiculous processes to obtain exceptions).  AFAICS,
this is what happened on most academic networks.

As a result, protocol designers make sure that their application looks
like HTTP at layer 4, and everyone loses.

Current thread:

Re: so, how would you justify giving users security? [was: Re: botted hosts], (continued)
- - - Re: so, how would you justify giving users security? [was: Re: botted hosts] J.D. Falk (Apr 04)
    - Re: so, how would you justify giving users security? [was: Re: botted hosts] Gadi Evron (Apr 04)
    - Re: so, how would you justify giving users security? [was: Re: botted hosts] Petri Helenius (Apr 04)
    - Message not available
    - Re: so, how would you justify giving users security? [was: Re: botted hosts] Jay R. Ashworth (Apr 04)
    - Re: so, how would you justify giving users security? [was: Re: botted hosts] John Dupuy (Apr 04)
    - Re: so, how would you justify giving users security? Florian Weimer (Apr 04)
    - Re: so, how would you justify giving users security? Niels Bakker (Apr 05)
    - Re: so, how would you justify giving users security? [was: Re: botted hosts] Stephen J. Wilcox (Apr 04)
    - Re: so, how would you justify giving users security? Florian Weimer (Apr 04)
    - Re: so, how would you justify giving users security? Stephen J. Wilcox (Apr 05)
    - Re: so, how would you justify giving users security? Florian Weimer (Apr 04)
    - Re: botted hosts Florian Weimer (Apr 04)
    - Re: botted hosts Christopher L. Morrow (Apr 04)
    - Re: botted hosts Dean Anderson (Apr 04)
    - Re: botted hosts Valdis . Kletnieks (Apr 04)
    - The power of default configurations Sean Donelan (Apr 06)
    - Re: The power of default configurations JP Velders (Apr 06)
    - Re: The power of default configurations Florian Weimer (Apr 06)
    - Re: The power of default configurations Sean Donelan (Apr 06)
    - Re: The power of default configurations Duane Wessels (Apr 07)
    - Re: The power of default configurations Paul Vixie (Apr 07)

(Thread continues...)