All of the network's control points are on public non-firewalled IPs.This is the worst security. It was done this way for the sake ofsimplicity. Our netops volunteers had to get up to speed withunfamiliar concepts like routing, funky netmasks, dynamic routingprotocols, policy routing, VRRP, firewalls, MTUs, MSS control, IPsec,etc. We reaped the rewards of KISS from broader volunteer engagement,but lately we've been paying too heavy of a price for the awful securitythis simplicity creates. In the most recent breach we've lost importantsource code that will now need to be re-created. We escaped totaldisaster by the thinnest of margins, as one critical hypervisor justhappened to be patched to 1 version higher than exploitable. Thissimplicity is not a good tradeoff anymore, so the time has come tointroduce more complexity to the network to protect all control points.This is not a simple problem, since there are many fragility vs securitytradeoffs, as well as complexity cost concerns. If you have experienceor thoughts around this area, and can commit to a few weeks of designand implementation work on this project, please indicate your interest.We'll assemble a small working group in the next few days and startdiscussions. I expect the working format will involve some virtualmeetings, since email is not high bandwidth enough to hash outeverything quickly.Here's hoping we don't make it worse,--Bart_______________________________________________PSDR mailing listPSDR@hamwan.orghttp://mail.hamwan.net/mailman/listinfo/psdr