Re: [fw-wiz] The home user problem returns
From: David Lang (david.lang_at_digitalinsight.com)
To: Mason Schmitt <firstname.lastname@example.org> Date: Tue, 13 Sep 2005 20:40:43 -0700 (PDT)
On Tue, 13 Sep 2005, Mason Schmitt wrote:
>> beside ingress and egress filtering, how much might ISP's suffer for
>> correcting some of the windows network protocol errors by not passing
>> ports 135-139, 445 and 5000 etc across perimiters? Or even allowing
>> them to braodcast witin the ISP's realm? Certainly would work to neuter
>> the M$ issues to a low noise level would it not?
> This is exactly the kind of ingress and egress filtering I'm talking
> about. We've avoided, by having these filters in place, some fairly
> nasty worm epidemics that wreaked havoc at other ISPs. None of the
> traffic typically associated with those ports has any business
> whatsoever moving beyond the confines of the home user's local network
> or any LAN for that matter.
> Again, for most networks, this is absolutely the wrong way to approach
> the problem, but for an ISP, those filters and anti spoofing filters
> have taken a big chunk out of the low hanging fruit.
there is a fundamental problem with the idea that the ISP should be
responsible for protecting the end-user. namely real protection would mean
that they only allow specific 'known good' things to work, but if you
limit ALL users to just those existing known-good things you will block
development of new things (both good and bad).
having filtering like this as an option (even as a default option) is a
good thing, but deciding that it should be the ONLY option and that I
shouldn't be able to get an unfiltred connection if I want one is
something VERY different.
an unfiltered connection should cost less then a filtered one from a
technical point of view, but I can see that this would just encourage
everyone to get the unfiltered connection so I'm willing to pay the same
rate as those who get filtered, what I'm not willing to do is have a
$29/month cablemodem connection turn into a $89/month connection just
becouse I don't want the filtering and therefor have to buy a 'business'
version of the same service.
-- There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies. -- C.A.R. Hoare _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards