BCP38 Deployment
Sean Donelan
sean at donelan.com
Thu Mar 29 06:35:16 UTC 2012
The power of defaults.
The few successful Internet security "best practice" changes have
primarily resulted from changes to default settings, not trying to get
ISPs, operators, sysadmins or users to change.
Smurf attacks - change default directed-broadcast settings in dominant
router vendors
Open SMTP relays - changed default SMTP server settings in dominant SMTP
software sources/vendors
Windows network-level worms - changed default Windows XP/SP2 firewall
settings to closed inbound
Although it may take 10+ years for a product replacement cycle (Windows
XP is taking a longer), the same laziness/money/ignorance reasons why
its nearly impossible to get people to implement "best practices" is why
a change to the default settings is so effective. The few times the new
default doesn't work, the operator then has an incentive to change it.
The times the default doesn't impact the operator, there is no incentive
to change it.
Expecting an average person (ISP, sysadmin, programmer, etc) to discover
and understand many obscure configuration options which don't directly
impact what they want to do isn't realistic. People tend to not
pro-actively look for problems until it causes them a problem. Even
worse, systems tend to revert back to defaults when a mistake or change
to unrelated parts of the system are made without the user/operator
realizing it.
The "experts" are the people who created the open source software or
vendors creating the product, not the users/customers.
SSH is a rare example where operators pro-actively sought and changed
their behaivor; but even then, there were probably more operators that
went with the default.
More information about the NANOG
mailing list