|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: RBL-type BGP service for known rogue networks?
Sure; I see your point. Thing is, though you don't -have- to make the ACL thing automatic - you can have someone sitting and watching the thing, and triggering it manually after positive identification. -----Original Message----- From: John Kristoff [mailto:[email protected]] Sent: Friday, July 07, 2000 5:01 PM To: [email protected] Subject: Re: RBL-type BGP service for known rogue networks? [email protected] wrote: > I certainly don't think that intrusion-detection makes sense for the > backbones and NAPs and so forth, but when you get closer to the > traffic-orginator/requestor boundaries of the network, it becomes more > feasible, does it not? Perhaps. It might be less detrimental to the entire Internet community if only a edge customer's dynamic IDS/filtering system went haywire. It then boils down to an organization's design and support philosophy. Personally, I don't like the idea of messing with packets/streams in transit unless it's route them, drop them (congestion) or mark them (IP ToS bits/DiffServ). There of course may be a few instances where you block an entire netblock (e.g. RFC 1918) or specific ports (e.g. snmp) that are widely know to be insecure or invalid. It seems easier in the long run (harder intially) to secure the end systems. Maybe I'm just getting used to vendors automatically configuring my network with the routing protocols and I'm not quite ready for automatic ACL definitions based on traffic patterns. :-) John |