[tor-talk] Pissed off about Blacklists, and what to do?

[Paul Syverson]

On Sun, Mar 09, 2014 at 10:21:52AM +0100, Fabio Pietrosanti (naif) wrote:
> Il 3/8/14, 8:39 PM, Paul Syverson ha scritto:
> > If you naively view Tor as Yet Another Pulbic Proxy, I agree. But this
> > is the same thinking that leads you to block all encrypted traffic you
> > aren't MITMing. There may be environments where it makes sense, but
> > most of the time you are hurting yourself more than you are helping,
> > And enough places have learned that preventing encrypted traffic hurts
> > them that many people reading this probably don't remember when it was
> > commonly argumed that the opposite was preferable.  If you have
> > customers or employees that could benefit from personal defense in
> > depth or if your corporate operations do, then you are unnecessarily
> > hurting yourself. As Andrew noted, if you just buy a box and use its
> > defaults, you probably aren't getting what you want.  Directing
> > incoming Tor traffic appropriately, possibly requiring extra
> > authentication steps for anything where you don't need to permit
> > anonymous-from-you access to your services, makes much more sense.
> 
> >From a Perimeter Security point of view Tor is a public proxy service,
> that enable someone to connect indirectly to a remote IT system hiding
> your IP.
> 
> What you suggest is "good common sense" for a "properly well organized
> and well funded" large organization, where the "IT Governance" and the
> "Security Governance" works very well together.
> 
> But in the dirty-real-world, enterprise application development is done
> trough a series of contractors, IT is often managing the application's
> infrastructure while Security is managing the perimeter security and
> incident response.
> 
> In a situation like that it's organizationally and politically very
> difficult to make the decision that you are suggesting, requiring some
> internal stakeholder to became the sponsor of "very ponderate decisions"
> against public proxy service users.
> A decision to "manage in a soft way connections coming from public proxy
> services" need more effort than just blocking it.
> 
> So, let's assume we have an internal sponsor in a large organizaiton
> that want to use a soft approach.
> The decision will reach some very high level senior manager (being the
> IT manager or Security Manager).
> That 1st level management will will ask some very simple questions in
> order to take decision:
> 
> * Which is the business impact?
> * Do we have numbers on how many of our customers have this behavious of
> shielding their IP?
> * Of those who shield their IP, how many are already our customers?
> * Which are the residual risks we're opening by managing softly rather
> than blocking?
> * What other companies are doing with this problem?
> * What our super-senior security advisor think of this problem?
> * What our IT Security Product Vendor recommend about this problem?
> * How much does it costs to manage in a soft-way?
> 
> Frankly speaking i think that in most of the situation the decision will
> not be in favour of managing in a soft way (especially not for resources
> that could be abused).
> 
I understand that many organizations are dysfunctional and don't use
common sense, but that isn't something to recommend.  Solving such
dysfunction is hard, highly contextual, and I'm not pretending it is
something for which I have expertise. But there are still very simple
things security folks can to do if dysfunction has not gone off the
deep end. Selective, short-lived blocking based on incidents is
different from permanent blocks, as Andrew commented, speaking as
former head of IT of a global company.  Similarly having a perimeter
rule-set that includes requiring authentication, or solving a CAPTCHA,
or whatever is specifically appropriate based on IP address rather
than just permanent blocks as I commented.

It seems that your soft/hard distinction is between permanent blocking
of a class of IP addresses and anything else.  Anything that crude is
probably going to cost in some way even if you don't know exactly how
yet.  It isn't necessary conservative to make blocking decisions
without even asking the above questions or because the cost of finding
good answers to some of them is itself too high to justify. I
understand how, e.g., a company worried about spam could come to block
all email from Europe for half a year, as one of the largest US ISPs
did a decade ago.  But that's different than recommending them to do so.

aloha,
Paul