IAB concerns against permanent deployment of edge-based filtering
Eric Gauthier
eric at roxanne.org
Sat Oct 18 16:26:21 UTC 2003
> I think the IAB has a legitimate point.
>
> Network operators rely today on the fact that different services use
> different ports, so they can block particular types of access/behavior
> by blocking ports.
I think the IAB has a legitimate point and I agree with it 100%.
Unfortunately, I also think it lacks a certain amount of practicality.
When/if I remove the microsoft port filters (for example) from the interface
between my campus and my eBGP peers or between segments of our campus network,
my network starts to melt down because of the sudden influx of virus probes
and traffic related to the spike in infections on our 10k - 20k hosts. If
the recommendation is to remove these low-cost protections, is there a
recommendation on how I can prevent the subsequent and severe instability
on my network?
> There is a real danger that long-term continued blocking will lead
> to "everything on one port" (probably 80).
Or port 443. If the traffic is on port 80, most signature systems can
determine that its not necessarily a standard HTTP interaction. If its
on port 443 and has a basic level of encryption, the signature-based systems
fail.
> I'm not saying ISP's shouldn't filter, but the long term filtering
> is a problem. It will cause application developers to do things
> that will make long term filtering not work, in the end.
I absolutely agree. Its the same argument that we made to our administration
regarding why we shouldn't block outright peer-to-peer applications. First,
the applications themselves aren't a problem, aren't illegal and, given
that we are a University, we should try not to stifle their developement.
Just as important, if we blocked them outright, our community would likley
shift to applications that are more effective at hiding themselves from us.
Since the only drawback to allowing them is that they increase the average
bandwidth demand per user, something we plan for anyway, we chose not to
filter.
Unfortunately, I can't make the same argument about the edge port filters
we have in place for security reasons. Though there is a general benifit
gained by allowing application development, the overwhelming cost that we'd
incur dealing with the compromised hosts themselves, the substantial increase
in network traffic and network attacks that they generate, etc., makes
removing these protections cost prohibitive.
Again, I definitely agree with the IAB's recommendation. However, its
difficult to defend this point of view in practice since most of the
equipment does basic packet filtering in hardware or with minimal cost to
peformance. So, I just can't figure out how to sit in front of our
administration and justify the replacement of a zero-cost solution with
the cost of added staff and equipment to mitigate these security risks,
especially when the up side is just not "limiting the potential for
deployment of future applications".
Eric :)
More information about the NANOG
mailing list