Re: [fw-wiz] The home user problem returns
From: Mason Schmitt (mason_at_schmitt.ca)
To: "R. DuFresne" <email@example.com> Date: Tue, 13 Sep 2005 14:43:46 -0700
>>> PLEASE explain to me how my P2P app is going to affect you - my ISP -
>>> or my
> In a shared bandwidth scenario, the pron surfing kid and your p2p
> connections are not mutually exclusive, they both have exactly the same
I should point out; it's true that the ISP game is an over subscription
game. It has to be in order for the home user to pay as little as they
do. If you want a dsl or cable modem's worth of bandwidth absolutely
guaranteed to you at all hours of the day AND you want to be able to
shovel all the data you can through that pipe, then you can get it, it
just costs more - a lot more. Try pricing out a measly T1 some time.
But, over subscription problems and p2p are not what I'm talking about
here at all. Those are just network and bandwidth management issues
that I'm not attempting to bring to this list. My concern is with
people that want a wide open, unrestricted,
give-me-all-my-bad-stuff-it-mine kind of connection and don't think
about the impact that attitude has with others sharing the same ISP, or
for that matter, those behind other ISPs.
I think I've made my point clear that ISPs need to get involved in
protecting those that are ignorant and laying fully exposed. This is a
network security/firewall sort of issue and one that I'd hoped would be
considered relevant to this list (it appears to be so far).
> On another note to this thread as a whole;
> beside ingress and egress filtering, how much might ISP's suffer for
> correcting some of the windows network protocol errors by not passing
> ports 135-139, 445 and 5000 etc across perimiters? Or even allowing
> them to braodcast witin the ISP's realm? Certainly would work to neuter
> the M$ issues to a low noise level would it not?
This is exactly the kind of ingress and egress filtering I'm talking
about. We've avoided, by having these filters in place, some fairly
nasty worm epidemics that wreaked havoc at other ISPs. None of the
traffic typically associated with those ports has any business
whatsoever moving beyond the confines of the home user's local network
or any LAN for that matter.
Again, for most networks, this is absolutely the wrong way to approach
the problem, but for an ISP, those filters and anti spoofing filters
have taken a big chunk out of the low hanging fruit.
-- Mason _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards