RE: [fw-wiz] ISPs with more secure networks???

From: Ames, Neil (
Date: 07/23/03

  • Next message: Hilal Hussein: "[fw-wiz] Security Standards for Desktop configuration"
    To: "Paul Robertson" <>, "Tony Miedaner" <>
    Date: Wed, 23 Jul 2003 09:28:31 -0400

    That said, I have heard and read good things about Savvis ( as trying to provide a more sane network--beyond managing your firewall for you. I have never worked with them, so I can't vouch for their success in achieving that goal. I, like Paul, am a bit skeptical, but I'd check them out.


    -----Original Message-----
    From: Paul Robertson []
    Sent: Wednesday, July 23, 2003 9:01 AM
    To: Tony Miedaner
    Subject: Re: [fw-wiz] ISPs with more secure networks???

    On Tue, 22 Jul 2003, Tony Miedaner wrote:

    > Hi,
    > Somewhat off topic but
    > Has anyone heard of ISP's with arrangements that enforce any type of
    > security requirements within their agreements for the connected customers
    > as well as providing an SLA that allows a company to restrict access inbound.

    Most large ISPs have too much aggragate traffic to do per-customer
    filtering anywhere other than the leaf node to the customer. Most will
    provide managed firewalling for customers for a price[1].

    > My thought is an arrangement that allows only US based network blocks
    > access to the network (i.e., the customers network).

    I haven't looked for statistics recently, but most non-automated attack
    traffic used to originate in the US, so I'm not sure that's a win ;)

    > Even a tiered access arrangement that allowed US (for instance) based
    > networks x bandwidth and other international networks y bandwidth.
    > Or even better customers agreeing to the networks agreements getting full
    > access to each other and then all others are filtered one way or another
    > (i.e. firewall, routing, filtering or other). The obvious assumption here
    > is that the customers are security conscious.

    The more unlikely and not so obvious assumption here is that customers
    would actually want to pay for such a feature. Suddenly you're dealing
    with thousands of customers who all want their own special rulesets,
    procedures for who can update those rulesets, etc. It's certainly done in
    the managed services arena, but with per-customer infrastructure for the
    most part- that means more power, more administrators, more rack space,
    more phone lines... That gets expensive, and complex pretty quickly, and
    unlike most managed services business, this would have to happen at the
    ISP's facilities to be useful (otherwise, you could just filter at your
    router, do QoS at your router or firewall and call it a day, no reason
    to involve the ISP.)

    > I guess I am getting sick of these folks that don't control what is coming
    > out of their networks and would prefer to see the ISP at least taking a
    > shot at limiting it.

    I'd take a stab in the dark that probably less than 1% of user networks
    control traffic that egresses their borders, and then maybe 1% of that is more
    than source address limitations. Even in that case, almost all allow
    outbound HTTP, so things like Code Red, NIMDA, etc. will still get out.

    If you were to do address or AS-based filtering, you'd limit who you could
    talk to quite severely, and I'm not sure you'd be able to deal well with
    them changing ISPs. If you're going to do that, doesn't it make more
    sense to put globally accessable resources at a colocation facility
    somewhere, then limit your own outbound traffic to the few places you need
    to talk to, and your inbound traffic to ACKs from that, DNS and SMTP?

    Naturally, you'll have the same user resistance that people at the other
    end have, and it's likely that the scheme won't last too long.

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation
    [1] TruSecure sells managed services offerings.

    firewall-wizards mailing list
    firewall-wizards mailing list

  • Next message: Hilal Hussein: "[fw-wiz] Security Standards for Desktop configuration"

    Relevant Pages

    • Re: [fw-wiz] ISPs with more secure networks???
      ... filtering anywhere other than the leaf node to the customer. ... provide managed firewalling for customers for a price. ... > networks x bandwidth and other international networks y bandwidth. ... > (i.e. firewall, routing, filtering or other). ...
    • RE: Signatures taking down network
      ... Since the updates are "preauthorized", ... Subject: Re: Signatures taking down network ... I'm curious to know how these customers feel about their networks being ...
    • RE: A question for the list...
      ... >ISP's warning them that x number of their customers have the latest worm. ... infected with worms. ... Just like wired networks, wireless LANs require network security policies ...
    • Re: Dish ordered to stop transmitting DNS
      ... There are still just as many Direct customers out in the boonies who got distant networks when there weren't local networks and were never converted over to the locals when they began to beam them. ... We had networks without waivers for over 4 years when they were required by the same ruling Dish is being clobbered with. ... Yet Direct thumbs their nose at the same regulations and invades the privacy of their customers in blatant disregard for the law. ...
    • Re: Say goodbye to the internet
      ... You can demonstrate how in the past consumers had to pay more ... Verizon is primary a wireless provider and has subscriptions to their customers. ... So you can point to a big network like Verizon not just selling faster connections to businesses, but actually speeding up or slowing down traffic based on whether or not they're paid? ... You can document that Verizon customers watch YouTube videos slower than customers of other networks because neither YouTube nor the consumers have paid for faster streaming of that particular content? ...