Re: Contribute to pf(4)

[Mike Shaw <mshaw@wwisp.com>]

At 02:42 AM 7/16/2002 -0600, Theo de Raadt wrote:
>What is the point of this exercise?

The only thing I would say is that in a heavily regulated environment (such 
as the U.S. financial environment where I spend most of my time) there is a 
substantial effort to "please the auditors".  With all the Sept 11 hoopla, 
banks/credit unions/etc have been implementing lots of new procedures to 
flag for accounts owned by certain individuals/aliases, as well as activity 
from certain countries.

There's also conventional wisdom from certain examiners ("examiners are 
like a box of chocolates", as the saying goes) that "most attacks come from 
country XYZ".

Having said that, logging and/or blocking+logging activity to various 'net 
accessible systems (such as internet banking) from certain country blocks 
would have an appeal in these types of environments.  Now, as technical 
people we realize that this strategy alone is somewhat foolhardy and 
contains way too many assumptions.  But isn't that the definition of 
"regulated industry"? ; )

However, if I'm riding shotgun on an ultra important system that shouldn't 
be getting activity from say, Korea, then I might want to know when certain 
types/volumes of activity come from that area.  Certainly not as the entire 
strategy, and certainly not as some sort of buzzfeature ("with our new 
'Xeno-secure' technology we keep the bad foreigners out and the warm and 
fuzzy Americans in!").

But while I'm keeping tabs on some things, it *might* be a worthwhile 
addition to the list.

-Mike