Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Webcurity Wishlist?

Posted by Cliff on from the bending-the-governments-ear dept.

breillysf asks: "I am a California-based network security attorney who has been asked by a senior US Senator to compile a list of the most important legal concerns facing network security administrators. He has a good feel for the government security issues (and lack there of), but he is concerned about what is going on in the front lines in the private sector. I thought the Slashdot crowd would have the best feel on the pulse of the current situation. Specifically, if you could ask Congress for help in the area of network and information security, what would you ask for? Or would you tell them to get out of the way?"

"For example, I tried to push for tax incentives for upgrades in network security measures, but the Senator replied that is dead in the water because we are now spending into a deficit. He would rather see insurance companies reward firms with lower premiums for enhanced security. But there are International legal issues, compliance issues, privacy complications, potential negligence liability exposure, lack of federal incident response, FOIA and anti-trust issues with info sharing, conflicting state and federal cybercrime and privacy laws, USA Patriot Act concerns, etc."

1 of 512 comments (clear)

  1. How Congress might improve Internet security by LinuxParanoid · · Score: 1, Flamebait

    OK, I'm provisionally accepting the premise of the question-- that something Congress might do could help Internet security-- and trying to figure out what I'd suggest.

    It'd help if IP packets couldn't be spoofed (or if such spoofing capabilities were dramatically reduced).

    Then any hack attempts could be tracked much, much more easily back to their origins.

    In a perfect world, one might upgrade all our networks to employ IPv6 or IPsec to ensure greater packet integrity, but this is prohibitively expensive and leaves the problem largely intact on "legacy" networks.

    A simpler solution, which would be greatly accelerated with a Congressional (or Executive?) national security legal mandate, would be a law requiring network owners (ISPs) to install filters on the boundaries of their networks that prevent packets from leaving their networks that didn't originate with IP source addresses owned by their networks. Egress filtering.

    While this wouldn't eliminate IP spoofing (someone can still pretend to be another computer on the same network), it would eliminate someone on network A pretending like they came from network B in most cases. At that point, the NOC of the appropriate network can be contacted and the hack can be run to ground.

    (Someone more network-savvy than I could articulate the boundaries of which networks should be included under the above statute. Obviously traffic being routed between networks (as opposed to traffic originating from a network) cannot be covered by such a requirement.)

    Nobody likes mandates, but I think this one would significantly improve end-to-end network security. Making it a legal requirement would enable the practice to be sufficiently end-to-end to be useful. And it's inexpensive enough that ISPs have debated doing it on their own just as a measure to reduce DOS problems.

    --LP

    Disclaimer: I program web and TCP/IP software but am not a network admin.