nanog mailing list archives
Re: BCP38 Deployment
From: Sean Donelan <sean () donelan com>
Date: Thu, 29 Mar 2012 02:35:16 -0400 (EDT)
The power of defaults.The few successful Internet security "best practice" changes have primarily resulted from changes to default settings, not trying to get ISPs, operators, sysadmins or users to change.
Smurf attacks - change default directed-broadcast settings in dominant router vendors
Open SMTP relays - changed default SMTP server settings in dominant SMTP software sources/vendors
Windows network-level worms - changed default Windows XP/SP2 firewall settings to closed inbound
Although it may take 10+ years for a product replacement cycle (Windows XP is taking a longer), the same laziness/money/ignorance reasons why its nearly impossible to get people to implement "best practices" is why a change to the default settings is so effective. The few times the new default doesn't work, the operator then has an incentive to change it. The times the default doesn't impact the operator, there is no incentive to change it.
Expecting an average person (ISP, sysadmin, programmer, etc) to discover and understand many obscure configuration options which don't directly impact what they want to do isn't realistic. People tend to not pro-actively look for problems until it causes them a problem. Even
worse, systems tend to revert back to defaults when a mistake or change to unrelated parts of the system are made without the user/operator realizing it.The "experts" are the people who created the open source software or vendors creating the product, not the users/customers.
SSH is a rare example where operators pro-actively sought and changedtheir behaivor; but even then, there were probably more operators that went with the default.
Current thread:
- Re: Comcast Ethernet Feed, (continued)
- Re: Comcast Ethernet Feed Brian R. Watters (Mar 29)
- Re: Comcast Ethernet Feed Ian Henderson (Mar 29)
- Re: Comcast Ethernet Feed Derek Ivey (Mar 29)
- Re: Comcast Ethernet Feed Randy (Mar 29)
- Re: Comcast Ethernet Feed Brian R. Watters (Mar 29)
- Re: Comcast Ethernet Feed John Neiberger (Mar 29)
- Re: Comcast Ethernet Feed Randy (Mar 29)
- RE: Comcast Ethernet Feed Nathan Anderson (Mar 29)
- Re: Comcast Ethernet Feed Todd Lyons (Mar 30)
- Re: Comcast Ethernet Feed Cody Grosskopf (Mar 30)