IAB concerns against permanent deployment of edge-based filtering

• Previous message (by thread): IAB concerns against permanent deployment of edge-based filtering
• Next message (by thread): IAB concerns against permanent deployment of edge-based filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I think the IAB has a legitimate point.
> 
> Network operators rely today on the fact that different services use
> different ports, so they can block particular types of access/behavior
> by blocking ports.

I think the IAB has a legitimate point and I agree with it 100%.
Unfortunately, I also think it lacks a certain amount of practicality.  
When/if I remove the microsoft port filters (for example) from the interface 
between my campus and my eBGP peers or between segments of our campus network,
my network starts to melt down because of the sudden influx of virus probes 
and traffic related to the spike in infections on our 10k - 20k hosts.  If 
the recommendation is to remove these low-cost protections, is there a 
recommendation on how I can prevent the subsequent and severe instability 
on my network?

> There is a real danger that long-term continued blocking will lead
> to "everything on one port" (probably 80).

Or port 443.  If the traffic is on port 80, most signature systems can
determine that its not necessarily a standard HTTP interaction.  If its
on port 443 and has a basic level of encryption, the signature-based systems 
fail.

> I'm not saying ISP's shouldn't filter, but the long term filtering
> is a problem.  It will cause application developers to do things
> that will make long term filtering not work, in the end.

I absolutely agree.  Its the same argument that we made to our administration
regarding why we shouldn't block outright peer-to-peer applications.  First,
the applications themselves aren't a problem, aren't illegal and, given
that we are a University, we should try not to stifle their developement.  
Just as important, if we blocked them outright, our community would likley 
shift to applications that are more effective at hiding themselves from us.  
Since the only drawback to allowing them is that they increase the average 
bandwidth demand per user, something we plan for anyway, we chose not to 
filter.

Unfortunately, I can't make the same argument about the edge port filters
we have in place for security reasons.  Though there is a general benifit 
gained by allowing application development, the overwhelming cost that we'd 
incur dealing with the compromised hosts themselves, the substantial increase 
in network traffic and network attacks that they generate, etc., makes 
removing these protections cost prohibitive.

Again, I definitely agree with the IAB's recommendation.  However, its 
difficult to defend this point of view in practice since most of the 
equipment does basic packet filtering in hardware or with minimal cost to 
peformance.  So, I just can't figure out how to sit in front of our 
administration and justify the replacement of a zero-cost solution with 
the cost of added staff and equipment to mitigate these security risks, 
especially when the up side is just not "limiting the potential for 
deployment of future applications".

Eric :)

• Previous message (by thread): IAB concerns against permanent deployment of edge-based filtering
• Next message (by thread): IAB concerns against permanent deployment of edge-based filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]