nanog mailing list archives
Re: so, how would you justify giving users security?
From: Florian Weimer <fw () deneb enyo de>
Date: Mon, 04 Apr 2005 22:14:12 +0200
* Gadi Evron:
Anyone ever considered just closing these ports? People will pay you more and just for your ACL services!
People call me mad because I designed a system which can handle 10,000+ ACL entries with negligible personal overhead (keep in mind that you cannot give end users direct access to ACL settings because they don't know what to do). Some issues I ran into clearly showed that this was a very, very unusual thing to do. It still has to be this way if you look at the number of hoops you have to jump through if you want to atomically replace an ACL on a Cisco router. In other words, neither people nor technology are quite ready.
Why is this such a bad idea?
My fear is that most organizations will opt for blocks without exceptions (or ridiculous processes to obtain exceptions). AFAICS, this is what happened on most academic networks. As a result, protocol designers make sure that their application looks like HTTP at layer 4, and everyone loses.
Current thread:
- Re: so, how would you justify giving users security? [was: Re: botted hosts], (continued)
- Re: so, how would you justify giving users security? [was: Re: botted hosts] J.D. Falk (Apr 04)
- Re: so, how would you justify giving users security? [was: Re: botted hosts] Gadi Evron (Apr 04)
- Re: so, how would you justify giving users security? [was: Re: botted hosts] Petri Helenius (Apr 04)
- Message not available
- Re: so, how would you justify giving users security? [was: Re: botted hosts] Jay R. Ashworth (Apr 04)
- Re: so, how would you justify giving users security? [was: Re: botted hosts] John Dupuy (Apr 04)
- Re: so, how would you justify giving users security? Florian Weimer (Apr 04)
- Re: so, how would you justify giving users security? Niels Bakker (Apr 05)
- Re: so, how would you justify giving users security? [was: Re: botted hosts] Stephen J. Wilcox (Apr 04)
- Re: so, how would you justify giving users security? Florian Weimer (Apr 04)
- Re: so, how would you justify giving users security? Stephen J. Wilcox (Apr 05)
- Re: so, how would you justify giving users security? Florian Weimer (Apr 04)
- Re: botted hosts Florian Weimer (Apr 04)
- Re: botted hosts Christopher L. Morrow (Apr 04)
- Re: botted hosts Dean Anderson (Apr 04)
- Re: botted hosts Valdis . Kletnieks (Apr 04)
- The power of default configurations Sean Donelan (Apr 06)
- Re: The power of default configurations JP Velders (Apr 06)
- Re: The power of default configurations Florian Weimer (Apr 06)
- Re: The power of default configurations Sean Donelan (Apr 06)
- Re: The power of default configurations Duane Wessels (Apr 07)
- Re: The power of default configurations Paul Vixie (Apr 07)