Re: [fw-wiz] ISPs with more secure networks???
From: Paul Robertson (proberts_at_patriot.net)
To: Tony Miedaner <firstname.lastname@example.org> Date: Wed, 23 Jul 2003 09:00:31 -0400 (EDT)
On Tue, 22 Jul 2003, Tony Miedaner wrote:
> Somewhat off topic but
> Has anyone heard of ISP's with arrangements that enforce any type of
> security requirements within their agreements for the connected customers
> as well as providing an SLA that allows a company to restrict access inbound.
Most large ISPs have too much aggragate traffic to do per-customer
filtering anywhere other than the leaf node to the customer. Most will
provide managed firewalling for customers for a price.
> My thought is an arrangement that allows only US based network blocks
> access to the network (i.e., the customers network).
I haven't looked for statistics recently, but most non-automated attack
traffic used to originate in the US, so I'm not sure that's a win ;)
> Even a tiered access arrangement that allowed US (for instance) based
> networks x bandwidth and other international networks y bandwidth.
> Or even better customers agreeing to the networks agreements getting full
> access to each other and then all others are filtered one way or another
> (i.e. firewall, routing, filtering or other). The obvious assumption here
> is that the customers are security conscious.
The more unlikely and not so obvious assumption here is that customers
would actually want to pay for such a feature. Suddenly you're dealing
with thousands of customers who all want their own special rulesets,
procedures for who can update those rulesets, etc. It's certainly done in
the managed services arena, but with per-customer infrastructure for the
most part- that means more power, more administrators, more rack space,
more phone lines... That gets expensive, and complex pretty quickly, and
unlike most managed services business, this would have to happen at the
ISP's facilities to be useful (otherwise, you could just filter at your
router, do QoS at your router or firewall and call it a day, no reason
to involve the ISP.)
> I guess I am getting sick of these folks that don't control what is coming
> out of their networks and would prefer to see the ISP at least taking a
> shot at limiting it.
I'd take a stab in the dark that probably less than 1% of user networks
control traffic that egresses their borders, and then maybe 1% of that is more
than source address limitations. Even in that case, almost all allow
outbound HTTP, so things like Code Red, NIMDA, etc. will still get out.
If you were to do address or AS-based filtering, you'd limit who you could
talk to quite severely, and I'm not sure you'd be able to deal well with
them changing ISPs. If you're going to do that, doesn't it make more
sense to put globally accessable resources at a colocation facility
somewhere, then limit your own outbound traffic to the few places you need
to talk to, and your inbound traffic to ACKs from that, DNS and SMTP?
Naturally, you'll have the same user resistance that people at the other
end have, and it's likely that the scheme won't last too long.
Paul D. Robertson "My statements in this message are personal opinions
email@example.com which may have no basis whatsoever in fact."
firstname.lastname@example.org Director of Risk Assessment TruSecure Corporation
 TruSecure sells managed services offerings.
firewall-wizards mailing list