Security of National Infrastructure
Jerry Pasker
jerry at jerry.org
Fri Dec 29 22:50:39 UTC 2006
> > Why is it that every company out there allows connections through their
>> firewalls to their web and mail infrastructure from countries that they
>> don't even do business in. Shouldn't it be our default to only allow US
>> based IP addresses and then allow others as needed? The only case I can
>> think of would be traveling folks that need to VPN or something, which
>> could be permitted in the Firewall, but WHY WIDE OPEN ACCESS? We still
>> seem to be in the wild west, but no-one has the b at lls to be braven and
> > block the unnecessary access.
Most people inherently know the answer to this, but I figure I might
as well answer the question since it was asked.
It is the way it is, because the internet works when it's open by
default, and closed off carefully. (blacklists, and the such) Would
email have ever taken off if it were based on white lists of approved
domains and or senders? Sure, it might make email better NOW (maybe?)
but in the beginning?
Block the few bad apples, and generally allow everything else by
default. (but allow it carefully) It works for the web, email,
airport security, and society in general (mostly open, free... unless
you're a Bad Guy Criminal Type).
No one is smart enough to be a central planner, and know where the
bad is, all the time. And no one is smart enough to predict who/where
the "good" is. That's why open by default (with careful security to
screen out the "bad") generally works the best. Chase down the
"bad", and assume (correctly so) that the rest is "good."
Same concept applies to why we have police that chase criminals,
rather than just throwing everyone in prison by default and making
them prove that they're worth of being free.
-Jerry
More information about the NANOG
mailing list