Re: [fw-wiz] ISPs with more secure networks???

From: Paul Robertson (
Date: 07/23/03

  • Next message: Josh Welch: "RE: [fw-wiz] Syslog set up"
    To: Tony Miedaner <>
    Date: Wed, 23 Jul 2003 09:00:31 -0400 (EDT)

    On Tue, 22 Jul 2003, Tony Miedaner wrote:

    > Hi,
    > Somewhat off topic but
    > Has anyone heard of ISP's with arrangements that enforce any type of
    > security requirements within their agreements for the connected customers
    > as well as providing an SLA that allows a company to restrict access inbound.

    Most large ISPs have too much aggragate traffic to do per-customer
    filtering anywhere other than the leaf node to the customer. Most will
    provide managed firewalling for customers for a price[1].

    > My thought is an arrangement that allows only US based network blocks
    > access to the network (i.e., the customers network).

    I haven't looked for statistics recently, but most non-automated attack
    traffic used to originate in the US, so I'm not sure that's a win ;)

    > Even a tiered access arrangement that allowed US (for instance) based
    > networks x bandwidth and other international networks y bandwidth.
    > Or even better customers agreeing to the networks agreements getting full
    > access to each other and then all others are filtered one way or another
    > (i.e. firewall, routing, filtering or other). The obvious assumption here
    > is that the customers are security conscious.

    The more unlikely and not so obvious assumption here is that customers
    would actually want to pay for such a feature. Suddenly you're dealing
    with thousands of customers who all want their own special rulesets,
    procedures for who can update those rulesets, etc. It's certainly done in
    the managed services arena, but with per-customer infrastructure for the
    most part- that means more power, more administrators, more rack space,
    more phone lines... That gets expensive, and complex pretty quickly, and
    unlike most managed services business, this would have to happen at the
    ISP's facilities to be useful (otherwise, you could just filter at your
    router, do QoS at your router or firewall and call it a day, no reason
    to involve the ISP.)

    > I guess I am getting sick of these folks that don't control what is coming
    > out of their networks and would prefer to see the ISP at least taking a
    > shot at limiting it.

    I'd take a stab in the dark that probably less than 1% of user networks
    control traffic that egresses their borders, and then maybe 1% of that is more
    than source address limitations. Even in that case, almost all allow
    outbound HTTP, so things like Code Red, NIMDA, etc. will still get out.

    If you were to do address or AS-based filtering, you'd limit who you could
    talk to quite severely, and I'm not sure you'd be able to deal well with
    them changing ISPs. If you're going to do that, doesn't it make more
    sense to put globally accessable resources at a colocation facility
    somewhere, then limit your own outbound traffic to the few places you need
    to talk to, and your inbound traffic to ACKs from that, DNS and SMTP?

    Naturally, you'll have the same user resistance that people at the other
    end have, and it's likely that the scheme won't last too long.

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation
    [1] TruSecure sells managed services offerings.

    firewall-wizards mailing list

  • Next message: Josh Welch: "RE: [fw-wiz] Syslog set up"