large organization nameservers sending icmp packets to dns servers.
Jamie Bowden
jamie at photon.com
Wed Aug 8 15:59:07 UTC 2007
Forgive my broken formatting, but LookOut, it's Microsoft! Is what we
use, period.
I have a question related to what you posted below, and it's a pretty
simple one:
How is answering a query on TCP/53 any MORE dangerous than answering it
on UDP/53? Really. I'd like to know how one of these security nitwits
justifies it. It's the SAME piece of software answering the query
either way.
Jamie Bowden
--
"It was half way to Rivendell when the drugs began to take hold"
Hunter S Tolkien "Fear and Loathing in Barad Dur"
Iain Bowen <alaric at alaric.org.uk>
-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Steve Gibbard
Sent: Tuesday, August 07, 2007 6:10 PM
To: Nanog
Subject: Re: large organization nameservers sending icmp packets to dns
servers.
On Tue, 7 Aug 2007, Donald Stahl wrote:
> It has nothing to do with judging how one runs their network or any
other
> such nonsense. The RFC's say TCP 53 is fine. If you don't want to
follow the
> rules, fine, but have the temerity to admit that it is stupid.
I don't want to wade into this particular argument, which doesn't seem
to
be going anywhere useful. But I think the style of the argument causes
some problems that trickle into network operations, and should be
addressed.
The problem with this argument is that, while it may be entirely
correct,
it's unlikely to convince the people who matter. The people who matter
are the people who write the checks for the networks we work on.
Successful managers (and successful engineers) generally get pretty good
at doing cost benefit analyses. Since there are many decisions where
there isn't one obvious answer, they learn instead to think in terms of
each choice providing some benefits and having some costs, and doing the
things where the benefits outweigh the costs.
In the firewall case, as Kevin said, there are probably people going to
the decision makers and talking about the importance of keeping things
closed up. Every open firewall rule, they'll say, creates the potential
for an attack. Any attack could cause down time, unauthorized sharing
of
confidential data, loss of files people have spent the last several
years
working on, and more. Therefore, the cost of an open firewall rule
could
potentially be millions of dollars. The value of any service enabled by
a
hole in the firewall had better be more than that.
Is this argument valid? Maybe not. But the money people who make the
decisions probably don't have the technical expertise to analyse it.
Even if they suspect that the case for the policy is overstated, they'll
associate some cost with ignoring the advice of their security people,
as
they probably should.
So, what's somebody who objects to such an argument to do?
You could go to management and say, "the security people are wrong. The
standard says we must open more ports. To not do so would be wrong."
But you may not like the choice this presents management with. On one
side, they've got you telling them to follow an arbitrary standard,
because not doing so would be wrong. On the other side, they're being
told that taking your advice could cost millions of dollars. Losing
millions of dollars as a result of a refusal to heed warnings would
probably get them fired, or worse. Pointing at an arbitrary standard
after things had gone wrong probably wouldn't get them very far.
Alternatively, you too could start speaking their cost benefit language.
You could assail the security peoples' cost figures, although at that
point you'd be asking them to distrust other employees and they might
wonder if they should distrust you instead. Or you could point out the
costs of leaving the port closed, or possible benefits of leaving it
open.
If you can tell them that some fraction of their customers aren't able
to
get to them because of the closed port, and that those would be
customers
represent some large amount of revenue, you'll show that there's actual
benefit to having the port open. If that benefit is greater than the
potential loss they're being told about, you might actually win the
argument. If you have some evidence to back up your numbers, you may
have
more credibility, and be able to win the argument with lower numbers.
Or, you may find that you're not as right as you thought you were. You
may find that what you were advocating doesn't seem to have any concrete
benefit, and that what the other side was saying has some merit. That
may
not happen in this case, but sooner or later you'll probably find one
where it does.
-Steve
More information about the NANOG
mailing list