[fw-wiz] Re: ISP firewalling of residential customers - was - About Port Forwarding, Apache and Firewall Rules

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 09/01/04

  • Next message: Melson, Paul: "RE: [fw-wiz] VPN endpoints (Now OT survey rant)" 
    To: Mason <hr824@sunwave.net>
Date: Wed, 1 Sep 2004 07:04:12 -0400 (EDT)

    On Wed, 1 Sep 2004, Mason wrote:

    > In discussions within my department, we find ourselves torn between a desire
    > to be transparent to our customers, our knowledge of the what is "out
    > there" (spam, worms, phishing, etc), and the feeling that we need to do more
    > to protect our customers (absence of funds and man-power always figure
    > heavily into this as well...).

    If it's explained well, my conjecture is that most customers will want
    protection...

    > Our quandary is that we are the little guy and we fear that implementing any
    > such restrictive policy would kill us. Our customers are accustomed to
    > largely unrestricted access to the net and our formidable competition is
    > highly unlikely to take similar steps in protecting their network which would
    > of course make them look pretty rosy by comparison.

    Most of your customers likely don't know the difference- being in the
    technology field, and knowing the difference, we likely project that on to
    our users more than is quite accurate- mostly users know X works or Y is
    broken...

    > Anyone have any brilliant ideas...? It's really unfortunate that we feel our
    > hands are tied; most of this mess could be dealt with if we were able to get
    > a bit more involved in our customers' access to the net.

    Here's what I'd do-

    Take a small block of addresses, and implement ingress *and* some basic
    egress filtering. Offer it as "protected network access" with a few
    informational documents- either figure out which of your customers is
    trojaned (irc without a "real" nickname) and offer it to them along with
    some advice on cleaning up, or just offer it-

    If you can't get management to support that- then go whole hog- offer them
    a plan where "protected Internet access" is an extra $5-$10 a month, but
    that allows you to get a firewall and do static addresses to spend some
    time on individual rules- then have them do some market research to see if
    it'd fly.

    Most people aren't technical and want to feel protected. This is an
    advantage that we should *all* be using in explaining firewalling. When I
    left my last employer, I was really surprised at the number of folks who
    understood "You can't do X" was my way of protecting the company, not my
    way of keeping them from doing new things- but I'd probably explained it a
    gazillion times over.

    > > Contrary to popular opinion, full access to the Internet is neither a
    > > god-given right, nor a necessity.
    > >
    > The big issue from a business standpoint is that popular opinion seems to
    > rule... I wish that we could do what is right rather than what is popular -
    > it would make this feel more like network adminstration than politics...

    Comcast has started filtering. I think egress filtering port 25, and
    having users relay is pretty reasonable these days. Just have a low-cost
    (that's for the bueiness) way for folks to opt out.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Melson, Paul: "RE: [fw-wiz] VPN endpoints (Now OT survey rant)"

    Relevant Pages

    • Microsoft and Security
      ... Where is Microsoft now "protecting their customers" as they love ... Should not someone in authority of this public company ... "A security vulnerability is a flaw in a product that makes it ...
      (NT-Bugtraq)
    • Re: License Validation problem with XP Pro
      ... > message pops up, clicking okay makes the system reboot. ... that is more concerned about protecting their software from ... their customers, than protecting their customers from their bug-riddle ... "Trustworthy Computing" is only another example of an Oxymoron! ...
      (microsoft.public.windowsxp.general)
    • Re: An alternative to Product Activation
      ... number of customers that enjoy being treaded this way to the point ... I have no problem with Borland, CodeGear or anybody else protecting ... which is to deter casual piracy (which is more rampant than most ... Hopefully CodeGear and other companies will consider this or equally ...
      (borland.public.delphi.non-technical)
    • Re: Hide Java Script
      ... Nothing worth protecting. ... > I have an asp.net web application with tons of Java script files. ... > The problem I have with 3rd party solutions is two-fold: ... I don't want them or their customers ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: System Restore Keeping Only One Restore Point
      ... but I am not a security expert and never claimed to be ... firewall isn't a good firewall you also misunderstood my view of the ... customers have asked Microsoft for a method, ... Not all customers want all of their applications to be ...
      (microsoft.public.windowsxp.help_and_support)