On Mon, 10 Mar 2008, Scott Weeks wrote:
> The default policy is we allow eveything. It takes no
explaining.
If you don't bother to explain to the same customers who you
believe
couldn't figure out how to change the default settings, what
the
risks and how to protect their computers on the Internet, is
it any
wonder that normal user's have such a difficult time being
safe on the
Internet?
> I understand the port 25 issue and am reconsidering it
for dynamic
> addresses on outbound traffic, but at least one person
on NANOG showed
> me a use of that. Like network engineers at many other
companies, I'm
> spread so thin that it's hard to find the time to do
work like this and
> I keep putting it on the back burner. VZ had it
completely open and I
> have followed that as we seperated this network from
their network, as
> I can't take on the extra work of fixing brokenness
that would result
> from applying the filter.
Like I said, there is always a default policy whether you
know what
that policy is or not. You probably end up spending the
resources on
the front-end or on the back-end.
Implementing source address verification can take years, but
if you
never start, you will never finish.
Implementing sanity checks for IP headers can take years,
but if you
never start, you will never finish.
Implementing unsolicited/unwanted traffic controls can take
years, but
if you never start, you will never finish.
Do you think caller-id/call-blocking/harrassing-call-trace
were easy, or
rather they took years of hard work. Although the
technology may change,
people seem to stay the same. And people seem to be adept
at doing the
same stuff with new technology to other people.
|