large organization nameservers sending icmp packets to dns servers.

Wed Aug 8 15:59:07 UTC 2007

Forgive my broken formatting, but LookOut, it's Microsoft! Is what we
use, period.

I have a question related to what you posted below, and it's a pretty
simple one:

How is answering a query on TCP/53 any MORE dangerous than answering it
on UDP/53?  Really.  I'd like to know how one of these security nitwits
justifies it.  It's the SAME piece of software answering the query
either way.

Jamie Bowden
-- 
"It was half way to Rivendell when the drugs began to take hold"
Hunter S Tolkien "Fear and Loathing in Barad Dur"
Iain Bowen <alaric at alaric.org.uk>
-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Steve Gibbard
Sent: Tuesday, August 07, 2007 6:10 PM
To: Nanog
Subject: Re: large organization nameservers sending icmp packets to dns
servers.

On Tue, 7 Aug 2007, Donald Stahl wrote:

> It has nothing to do with judging how one runs their network or any
other 
> such nonsense. The RFC's say TCP 53 is fine. If you don't want to
follow the 
> rules, fine, but have the temerity to admit that it is stupid.

I don't want to wade into this particular argument, which doesn't seem
to 
be going anywhere useful.  But I think the style of the argument causes 
some problems that trickle into network operations, and should be 
addressed.

The problem with this argument is that, while it may be entirely
correct, 
it's unlikely to convince the people who matter.  The people who matter 
are the people who write the checks for the networks we work on.

Successful managers (and successful engineers) generally get pretty good

at doing cost benefit analyses.  Since there are many decisions where 
there isn't one obvious answer, they learn instead to think in terms of 
each choice providing some benefits and having some costs, and doing the

things where the benefits outweigh the costs.

In the firewall case, as Kevin said, there are probably people going to 
the decision makers and talking about the importance of keeping things 
closed up.  Every open firewall rule, they'll say, creates the potential

for an attack.  Any attack could cause down time, unauthorized sharing
of 
confidential data, loss of files people have spent the last several
years 
working on, and more.  Therefore, the cost of an open firewall rule
could 
potentially be millions of dollars.  The value of any service enabled by
a 
hole in the firewall had better be more than that.

Is this argument valid?  Maybe not.  But the money people who make the 
decisions probably don't have the technical expertise to analyse it. 
Even if they suspect that the case for the policy is overstated, they'll

associate some cost with ignoring the advice of their security people,
as 
they probably should.

So, what's somebody who objects to such an argument to do?

You could go to management and say, "the security people are wrong.  The

standard says we must open more ports.  To not do so would be wrong." 
But you may not like the choice this presents management with.  On one 
side, they've got you telling them to follow an arbitrary standard, 
because not doing so would be wrong.  On the other side, they're being 
told that taking your advice could cost millions of dollars.  Losing 
millions of dollars as a result of a refusal to heed warnings would 
probably get them fired, or worse.  Pointing at an arbitrary standard 
after things had gone wrong probably wouldn't get them very far.

Alternatively, you too could start speaking their cost benefit language.

You could assail the security peoples' cost figures, although at that 
point you'd be asking them to distrust other employees and they might 
wonder if they should distrust you instead.  Or you could point out the 
costs of leaving the port closed, or possible benefits of leaving it
open. 
If you can tell them that some fraction of their customers aren't able
to 
get to them because of the closed port, and that those would be
customers 
represent some large amount of revenue, you'll show that there's actual 
benefit to having the port open.  If that benefit is greater than the 
potential loss they're being told about, you might actually win the 
argument.  If you have some evidence to back up your numbers, you may
have 
more credibility, and be able to win the argument with lower numbers.

Or, you may find that you're not as right as you thought you were.  You 
may find that what you were advocating doesn't seem to have any concrete

benefit, and that what the other side was saying has some merit.  That
may 
not happen in this case, but sooner or later you'll probably find one 
where it does.

-Steve