[nsp-sec] creative lying
Sean Donelan
sean at donelan.com
Wed Sep 3 19:42:17 EDT 2008
On Tue, 2 Sep 2008, Smith, Donald wrote:
> No problem at all except who owns/manages the CPE (customer provided
> equipment) and what is their payout for doing this?
>
> I agree its a good idea how do we get our customers to perform that
> filtering?
> In many cases the guy setting up an enterprises router has never heard
> of cymru or seen cisco's security blue prints or read a juniper manual
> about security. They simply want to router to work and once it begins
> working they leave it alone.
The power of "default."
If CPE router software defaulted to only forwarding packets with source
address validation, most of those people installing them will never
change it (along with the hundreds of other potential things they could
change, but never do).
Only those few people where it actually breaks something will change it.
Smurf attacks mostly went away after vendors changed their defaults, and
hardware replacement cycles took place.
Open mail relays mostly went after vendors change their defaults, and
software replacement cycles took place.
Heck, even netbios worm of the month is going away after the vendor change
its defaults and the software replacement cycle is happening.
Education failed, shunning failed, calling customers failed.
Defaults seem to work.
Cisco, Juniper, Linksys, D-link, Netgear? Comments?
More information about the nsp-security
mailing list