*nix network administration: 10/01/2003

Thursday, October 30, 2003

Monday, October 27, 2003

From BSDsnob: Commentary for netsec?

-------- Original Message --------
Subject: Re: ISPs' willingness to take action
Date: Mon, 27 Oct 2003 11:31:20 -0500 (EST)
From: Sean Donelan
To: nanog@nanog.org

On Mon, 27 Oct 2003 kenw@kmsi.net wrote:
> I said 'low hanging fruit'. I didn't say 'top-to-bottom security
> analysis'.

If I fixed every computer on the Internet today, tomorrow Microsoft would sell 17,000 new insecure installs of Windows.

Low-hanging fruit would be to get Microsoft to change its defaults. Then instead tomorrow, there would be 17,000 new 'secure' installs of Windows.

> Does NOBODY remember that thread?

I remember it well. I also remember ISPs removing the filters after a few hours/days due to customer complaints because the applications they wanted to use across the Internet stopped working.

Why shouldn't people be able to use NETBIOS, or Telnet or FTP or any other insecure protocol across the Internet? The security problems aren't due to the packets crossing the Internet. The security problems happen when the packets reach an insecure end-host.

It is possible to use NETBIOS securely across the Internet withOUT a VPN. I wouldn't recommend it, but I don't understand why ISPs should prohibit the use of any particular 16-bit port number in a TCP/UDP header.

> And if all ISPs were doing all these thing (as you try to imply) we'd all
> be a lot better off, wouldn't we?

And are you implying ISPs aren't doing anything?

> So, am I advocating bad measures?

Naive measures."

While researching for the termpaper, Myra found this link to the RSA Laboratories Cryptography FAQ. It has a lot of great information on cryptography, encryption techniques, and the cryptography laws.