Security of National Infrastructure

Jerry Pasker jerry at
Fri Dec 29 22:50:39 UTC 2006

>  > Why is it that every company out there allows connections through their
>>  firewalls to their web and mail infrastructure from countries that they
>>  don't even do business in. Shouldn't it be our default to only allow US
>>  based IP addresses and then allow others as needed? The only case I can
>>  think of would be traveling folks that need to VPN or something, which
>>  could be permitted in the Firewall, but WHY WIDE OPEN ACCESS? We still
>>  seem to be in the wild west, but no-one has the b at lls to be braven and
>  > block the unnecessary access.

Most people inherently know the answer to this, but I figure I might 
as well answer the question since it was asked.

It is the way it is, because the internet works when it's open by 
default, and closed off carefully. (blacklists, and the such)   Would 
email have ever taken off if it were based on white lists of approved 
domains and or senders? Sure, it might make email better NOW (maybe?) 
but in the beginning?

Block the few bad apples, and generally allow everything else by 
default.  (but allow it carefully)  It works for the web, email, 
airport security, and society in general (mostly open, free... unless 
you're a Bad Guy Criminal Type).

No one is smart enough to be a central planner, and know where the 
bad is, all the time. And no one is smart enough to predict who/where 
the "good" is.  That's why open by default (with careful security to 
screen out the "bad") generally works the best.  Chase down the 
"bad", and assume (correctly so) that the rest is "good."

Same concept applies to why we have police that chase criminals, 
rather than just throwing everyone in prison by default and making 
them prove that they're worth of being free.


More information about the NANOG mailing list