Homeland Security Alert System
David Barak
thegameiam at yahoo.com
Fri Feb 21 17:29:32 UTC 2003
Okay, I'll bite...
--- Sean Donelan <sean at donelan.com> wrote:
>
> On Fri, 21 Feb 2003, Martin Hannigan wrote:
> Isn't your NOC normally vigilant?
Of course.
> > Perhaps even use different sets of ACL's on the
> edge, etc. It could also
> > be used
> > to explain an unexpected surge in traffic, calls,
> or other things. Ever
> > look at some traffic stats and see a major surge
> and want to make sure
> > you understand why?
>
> Again wouldn't you also do all of these things
> "normally?" If an ACL is a
> good idea at "Orange" wouldn't you protect your
> network with those ACL's
> when the level is "Yellow." Or would you remove
> those ACL's when the
> threat level is reduced. How do would you explain
> to your management when
> you are hacked at level "Yellow" you had better
> ACL's, but you only used
> the good ACL's at level "Orange."
Well, an example could be "if threat level is yellow,
permit traffic from $foreign_country_x, but if it goes
to orange, deny all from $foreign_country_x, or
perhaps log all from there.
I know that there are certain ISPs which deny all mail
traffic from certain ASes, because of the volume of
Spam. The same principle could be at work here: if
(threat_level++) then deny(unknown_from_Source[nasty])
else permit.
-David Barak
fully RFC 1925 compliant
__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
More information about the NANOG
mailing list