Homeland Security Alert System

David Barak thegameiam at yahoo.com
Fri Feb 21 17:29:32 UTC 2003


Okay, I'll bite...

--- Sean Donelan <sean at donelan.com> wrote:
> 
> On Fri, 21 Feb 2003, Martin Hannigan wrote:

> Isn't your NOC normally vigilant?  

Of course.


> > Perhaps even use different sets of ACL's on the
> edge, etc. It could also
> > be used
> > to explain an unexpected surge in traffic, calls,
> or other things. Ever
> > look at some traffic stats and see a major surge
> and want to make sure
> > you understand why?
> 
> Again wouldn't you also do all of these things
> "normally?"  If an ACL is a
> good idea at "Orange" wouldn't you protect your
> network with those ACL's
> when the level is "Yellow."  Or would you remove
> those ACL's when the
> threat level is reduced.  How do would you explain
> to your management when
> you are hacked at level "Yellow" you had better
> ACL's, but you only used
> the good ACL's at level "Orange."

Well, an example could be "if threat level is yellow,
permit traffic from $foreign_country_x, but if it goes
to orange, deny all from $foreign_country_x, or
perhaps log all from there.

I know that there are certain ISPs which deny all mail
traffic from certain ASes, because of the volume of
Spam.  The same principle could be at work here: if
(threat_level++) then deny(unknown_from_Source[nasty])
else permit.

-David Barak
fully RFC 1925 compliant


__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/



More information about the NANOG mailing list