Hiers, David wrote:
I applaud the idea of protecting against attacks, and I feel the draw for this kind of function. However, I do have a couple of thoughts to circulate to the group.
1. CPNI. There are all sorts of regulations, laws, and policies that tightly constrain what telephone-related information I can disclose to anyone about anything.
2. Criticality. If a 911 call fails because someone intentionally took an action, bad things can happen.
Like every business from banks to hotdog carts, we are all expected act to ensure that our actual losses do not exceed budgeted losses, and that the cost of the controls do not exceed the cost of the loss. My main point is that whatever controls we erect must comport to the (ever-changing) regulatory and societal landscape for phone calls, which can be very different than that of email or other services.
In summary, I see this as a very worthwhile effort, even if the rules and expectations that surround it make it different than similar efforts in other fields.
I will try to find a definitive legal answer to these question and post when I find one. In the interim, I'd like to explain my posture on why CPNI is not relevant. 1) Logfiles that are posted contain solely the information of an attacking IP address. Any visible IP addressing, naming conventions, etc., are sanitized from the logs. This is done for two reasons, one to protect the identity of my PBX servers and secondly to avoid having attackers "fire away" at the addresses. There is no visible information for my infrastructure nor clients being posted at any time. 2) Criticality - the only instance I can see this being an issue is if the following occurs: Being an ITSP provider, I manage PBX's and maintain hundreds of trunks for clients who manage their own PBX's. If a client's PBX was compromised, their IP Space would be listed in "the blacklist" which could leave them in a bind if they weren't able to place emergency calls. Emergency calls are a tricky subject as is when it comes to VoIP in the following scenario: As a provider you have a client who does not pay their bill and gets a temporary disconnect. Do you as a VoIP provider STILL place emergency calls for them? There is no visible law relevant to this, I know as I've scoured high and low for something to this tune, maybe if someone at Dash is here, they can correct me on this. As it stands, we as a VoIP carrier have to do nothing when someone doesn't pay their bill. a) AUP's, TOS', SLA's dictate what can or can't happen during the course of a client's use. Therefore if my AUP directs me to disconnect "dirty hosts" the onus is on the client to clean up their act. In today's day and age, just about everyone except me has a cellular. So a 911 argument isn't as strong as it would be say 10 years ago. b) Abuse desks for companies attacking PBX's when located in North America are ALWAYS notified. I give them the opportunity to "right their wrongs" and have been doing so aimlessly for some time. A situation like this would be a true test for a "dirty network" not me as a provider. The legalities fall on them: Offense: "You blocked an emergency call!" Defense: "No we blocked your network from disrupting other networks which has the potential to disrupts hundreds of other networks and PBX's" Defense: "You were warned prior to being blacklisted. Your systems autogenerated a response, months later we were attacked again. Obviously you didn't take the situation serious" Offense: "I object, security costs time and money. Money we don't have..." True it is a touchy subject however, I don't believe there could be legal recourse towards me for posting it, or anyone submitting data - provided that whomever submits data - removes identifiable information. With that said, my approach is to weed out erroneous reports, continue to send a courtesy email to offending netblocks. If they don't respond within a 72 hour period, they will be listed. 3 days is enough to take a look at what is leaving a network and nipping it at the bud. Should companies not see fit to clean up their act, obviously they not only don't care about what leaves their network, they care less about their clients as well. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E