James Riden wrote: > Not my area, but I believe most backbone networks are designed to get > packets from A to B as fast as possible. Egress filtering at ISPs, > for both spoofed addresses and email-borne viruses would be a start > though. Checking for spoofed addresses is fine in theory, and it would be nice to see all ISPs doing it as a matter of course in their edge routers. Most of them don't do it because it is painful to set up, as it means a different config on every router - at the moment, most of the edge routers have the same config, which can be pushed out automatically. Checking for viruses in traffic going across the backbone is doomed to failure for exactly the reason that you gave earlier in your post, that signatures are usually a few hours behind the infection. Not to mention that all of the routers on the net would need to be replaced by systems with 400% of the processing power to perform this task. Guess the customer ends up paying for this? ISPs focus on making profits for their shareholders, and providing a service which is 10% more secure than their competitors doesn't get them any greater customer base. Making it 100% secure is impossible, and would lead to charges which no-one could afford, so why bother at all? The problem is at the very end of the chain - semi-literate users who are too stupid or too lazy or too ignorant to even realise when their system has been infected, never mind do something proactive to stop it happening in the first place. Intrinsically secure systems would have been a better idea some time ago, but now the stable door and the horse are both crumbled to dust, and trying to force stable systems on a world used to macros, downloads, and open e-mail would be a bit like ruling that all cars must travel at no more than a walking pace with a man in front waving a flag. It may be far from perfect, but rewinding the clock is not an option. > It would also be good to have ISPs accountable for abuse that > originates in their networks. But does any government department have > the resources to do this, even if appropriate laws are in place? If you make the ISP accountable, they will in turn seek to pass this on to the customers in their service contract. So, as an example, on the next major outbreak, 20% of traffic comes from AOL addresses, and the total cost is estimated at $2.5 billion (by who?), so AOL are fined $500M - but their (updated as a result) service contract says that you must ensure that your system is secure, and if you fail to do so, you will be charged for the damage your system inflicts. The damage is traced to 500,000 customer addresses, so each of them gets hit for $1K. Net result - customers leave in droves, company collapses, and everyone is back where we started. Great idea - force everyone onto the most lax ISP going, which is probably based somewhere outside of the jurisdiction of your shiny new legal system, and where a support call is charged at international rates. Gives new meaning to the phrase "Where would you like to go today?" Best Wishes, Paul. __________________________________________________ Paul Murphy Head of Informatics Ionix Pharmaceuticals Ltd 418 Science Park, Cambridge, CB4 0PA Tel. 01223 433741 Fax. 01223 433788 ___________________________________________________________ DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please contact the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741 _______________________________________________________________________
