|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Broadband routers and botnets - being proactive
On Tue, 15 May 2007, Joe Greco wrote: > The thing is that there's always been too much functional separation > between the business of this list which is operating a network, and the > security focused lists. The business of operating a network has often > conveniently ignored anything that doesn't actually cause the network to > collapse, but which regardless makes the network a less-than-nice place > to be. > > Is spam directly related to the business of Network A peering via BGP to > Network B? Doubtful. Clearly, it is not. Packets keep flowing. Internet is more than email. > However, where does that change? What sort of things are operational? Things that affect internet at large. Things that affect our routers. > As long as we choose to interpret "operating a network" as being merely > things that involve enable on a router, yes, it's way off-topic. > Sadly, many (most?) networks view their operation in a way that > emphasizes this sort of attitude. As a result, we still don't have > basic security things that should /also/ be a fundamental part of > netops, such as BCP38 at any point where it is reasonable to do so (like > at virtually every edge). That's certainly on-topic (why is BCP38 is not implemented as much as it should be). > > You and I and lots of other people on this list are on on many or all > > of those sorts of lists. > > In most organizations larger than a handful of people, the netops people > are not necessarily the same as the security people, and I've often > found that the groups do not understand issues happening in the other > arena. That's an issue for those organizations. :) However, security people have their own mailing lists, and *forcing* operations people to be involved in security issues is counter-productive. (You don't make your security people to read nanog-l, do you?) > > While cross-pollination is acceptable and in fact desired dragging the > > business of one group of community interests in to the domain of > > another is not appropriate. > > Were they all truly separate, this would be true. They're not all truly > separate. Pretending that they're separate would be a convenient way to > allow your network to continue peeing in the pool, ignoring problems, > which (sadly) doesn't seem to be an unusual attitude at certain > networks. Sadly, the alternatives (resulting in trying to police the internet) are much worse than status quo. > Those of us who have been implementing BCP38-style filtering since > before BCP38 existed, on the other hand, may take a slightly more mature > view of what "network operations" involves, and it sure covers a lot > more ground than what you can do with enable on a router. > > I do not consider host security to be directly connected to netops. > However, it certainly has an impact, and to a certain extent, a little > occasional discussion is warranted. When it is affecting internet at large (think nachi/nimda/codered), clearly. > Gadi may tend to bring along a little too much discussion, though. I > think a lot of people would agree with that. I think this is the case of a 'boy who cried wolf' too many times. <snip> > I find it sadly ironic that the netops community, which largely runs > huge commercial for-profit networks, would think that others would > handle the security aspects for them - and do it for free. Those who run huge commercial for-profit networks usually have people who are dedicated to security aspects...Ones not so lucky usually have same people who are both operations and security and peering - and we are subscribed to all the mailing lists we need to know to get all our jobs done. And I think its the way things should be. > What's pathetic is that these same large networks usually can't be > bothered to do much (or anything) to eliminate the environment which > provides work opportunities for security consultants. Do I smell a "final ultimate solution" somewhere? :) [note the cc to nanog-futures - please strip cc to nanog-l from the replies to this email. meta-discussions belong on -futures] alex [speaking for myself only]
|