[AusNOG] NBN must avoid becoming 'failed state'

Tue Sep 21 16:45:43 EST 2010

>From what I can see most of the security vendors have been focussing
on endpoint security, and have succeeded to the extent Conficker owns
a lot of our customers. That is: not very much at all.

The network or "cloud" or whatever want to call it is part of a total
response. We have to assume that part of the solution will be
compromised and do the ole "defence in depth" thing. You can't stop a
phish if the customer's equipment is toast. The network operator has a
part to play in that.

I agree with your quote from Spaf, but the point I see is that
something like SSL is an endpoint measure, not a network measure. The
end points are assuming they are secure and the network is not. We
also need to assume the opposite and design accordingly and I don't
see a way to deal with end point compromise that doesn't involve the
network operators assets.

On Tue, Sep 21, 2010 at 3:59 PM, Vitaly Osipov <vitaly.osipov at gmail.com> wrote:
> ...Moreover, the measures proposed does not seem to be too relevant
> for customers.
>
> I have not seen the presentation, but judging from the slides it was
> primarily concerned with DDoS prevention. While it is clear that from
> a network operator's (and Arbor's) point of view this is a major if
> not *the* security threat (to operators), for end users DoS is almost
> a non-issue compared to, say, they Facebook identity stolen or bank
> account emptied.
>
> If we are talking about providing "security" for users, we should
> really be talking about end points, and not the pipes. After 20 years
> of (not very successfully) trying to achieve end user "security" at
> the pipe level it is probably the time to switch to where it matters
> more - applications/software. Gene Spafford said long ago "Using
> encryption on the Internet is the equivalent of arranging an armored
> car to deliver credit card information from someone living in a
> cardboard box to someone living on a park bench", the same can be said
> about network security mechanisms in general.
>
> Although, to be fair, the slides briefly recommend embedding total L2+
> surveilance into NBN, but I wonder how this recommendation will fly...
> (slides 25 and especially 6 :) ). Besides, no instrumentation of local
> networks will help against foreign attackers.
>
>
> Regards,
> Vitaly
>
>
>
>
> On Tue, Sep 21, 2010 at 2:58 PM, Roland Chan <roland at chan.id.au> wrote:
>> I don't see this as as NBN specific issue.
>>
>> I see a large security gap between our current state and the ability
>> of our customers to treat the Internet as a utility. I'm sure some
>> parts of vendor-space will view that as good for their margins, but if
>> we accept the goal of Internet ubiquity we have no choice but to
>> commoditise everything we currently do and a great deal besides,
>> security included.
>>
>> A drive from the NBN could be tremendously helpful.
>>
>>
>>
>> On Tue, Sep 21, 2010 at 1:49 PM, Dobbins, Roland <rdobbins at arbor.net> wrote:
>>>
>>> On Sep 21, 2010, at 10:10 AM, Graeme Allen wrote:
>>>
>>>> I believe the real issue with bigger pipes in the context of the NBN is that without the inherent upload constraint of DSL (generally < 1Mbps)
>>>
>>> I largely agree with all your points - access speeds and potential increased market penetration aside, the advent of NBN represents an opportunity to formulate and mandate security capability requirements which are beneficial in and of themselves.
>>>
>>> -----------------------------------------------------------------------
>>> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>>>
>>>               Sell your computer and buy a guitar.
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>