North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Security of National Infrastructure

  • From: Jerry Pasker
  • Date: Fri Dec 29 17:55:42 2006

 > Why is it that every company out there allows connections through their
 firewalls to their web and mail infrastructure from countries that they
 don't even do business in. Shouldn't it be our default to only allow US
 based IP addresses and then allow others as needed? The only case I can
 think of would be traveling folks that need to VPN or something, which
 could be permitted in the Firewall, but WHY WIDE OPEN ACCESS? We still
 seem to be in the wild west, but no-one has the [email protected] to be braven and
 > block the unnecessary access.
Most people inherently know the answer to this, but I figure I might as well answer the question since it was asked.

It is the way it is, because the internet works when it's open by default, and closed off carefully. (blacklists, and the such) Would email have ever taken off if it were based on white lists of approved domains and or senders? Sure, it might make email better NOW (maybe?) but in the beginning?

Block the few bad apples, and generally allow everything else by default. (but allow it carefully) It works for the web, email, airport security, and society in general (mostly open, free... unless you're a Bad Guy Criminal Type).

No one is smart enough to be a central planner, and know where the bad is, all the time. And no one is smart enough to predict who/where the "good" is. That's why open by default (with careful security to screen out the "bad") generally works the best. Chase down the "bad", and assume (correctly so) that the rest is "good."

Same concept applies to why we have police that chase criminals, rather than just throwing everyone in prison by default and making them prove that they're worth of being free.