Re: [fw-wiz] The home user problem returns

mason_at_schmitt.ca
Date: 09/14/05

  • Next message: David Lang: "Re: [fw-wiz] The home user problem returns"
    To: "David Lang" <david.lang@digitalinsight.com>
    Date: Wed, 14 Sep 2005 00:28:58 -0700 (PDT)
    
    

    >> This is exactly the kind of ingress and egress filtering I'm talking
    >> about. We've avoided, by having these filters in place, some fairly
    >> nasty worm epidemics that wreaked havoc at other ISPs. None of the
    >> traffic typically associated with those ports has any business
    >> whatsoever moving beyond the confines of the home user's local network
    >> or any LAN for that matter.
    >>
    >> Again, for most networks, this is absolutely the wrong way to approach
    >> the problem, but for an ISP, those filters and anti spoofing filters
    >> have taken a big chunk out of the low hanging fruit.
    >
    > there is a fundamental problem with the idea that the ISP should be
    > responsible for protecting the end-user. namely real protection would mean
    > that they only allow specific 'known good' things to work, but if you
    > limit ALL users to just those existing known-good things you will block
    > development of new things (both good and bad).

    What is "real protection" is that a brand name? As was said earlier, ISPs
    are not the same sort of beast as a corporation - they cannot / should not
    provide a default deny security policy for all customers. I think we've
    also basically shown that if this were offered, so few people would take
    the offer that there's really no point in trying in the first place. So,
    lets scrap the idea that ISPs should completely shield their customers
    from all harm - that is completely unrealistic for several reasons, not
    the least of which are the fact that ISPs are inherently default allow and
    that the ISP has no real control over the home user's PC at all. This is
    not how a corporate environment should be run. Have we cleared that all
    up now? The two are very different. The approaches to managing each are
    different.

    So, getting back to whether ISPs should be involved in the security stack
    at all? As is obvious from this thread, even some security people are
    unsure whether ISPs should be anything but a transparent pipe to the net.
    I'm still rather surprised and a little disappointed to hear this. Why is
    there concern over blocking really basic automated crap that has no
    business being on any network? Especially considering that most of the
    home users that security people always complain about are the ones sitting
    on the ISP's network. Is there some assumption that clueful security folk
    make up a large percentage of an ISP's customer base? Is that why ISPs
    should just let all the crap through? Because if that's the case, if all
    the users out there really know how to defend themselves, then Marcus is
    right, we are wasting our breath - everyone knows this stuff. So, the
    reason we are seeing all these massive worm infections and bot nets
    sending spam is because we let them do it - it keeps us all employed.

    All sarcasm aside, why do people keep clinging to the idea of a completely
    transparent pipe? I don't get it. Does is have something to do with some
    badly twisted idea of free speech? Why do you think that just because
    .0001% of the user population knows how to defend themselves, that
    everyone else should be made to suffer? I'm appologize in advance for
    being accusatory, but that's selfish and self centered.

    > having filtering like this as an option (even as a default option) is a
    > good thing, but deciding that it should be the ONLY option and that I
    > shouldn't be able to get an unfiltred connection if I want one is
    > something VERY different.

    You know what. Given that you really are only .0001% of the ISP customer
    base, if you were to phone me up and say that you were really into
    computer security and wanted to setup a honey net or something like that
    so that you could watch and learn and I got the impression that you were
    for real, I'd make an exception in my ruleset for you. I'd also tell you
    that if I got a single complaint regarding traffic from your IP, you'd be
    right back to where you started.

    I don't think I'm pulling the arrogant, control freak sysadmin / BOFH role
    here. The basic filters that are in place right now should be in place on
    every ISP on the planet. They do not impede any legitimate traffic at all
    and offer very real benefits to our customers and us. It is my strong
    opinion that ISPs can and should be doing more to help, "reduce the noise
    to manageable levels." I know that this is not a list for ISP network
    admins, so perhaps I'm "wasting my breath", but perhaps this rant can be
    construed as more user education. You're sharing the net with people that
    are practically helpless, please ease up a bit and understand that some
    simple actions on the part of the ISP are going to help everyone.

    I enjoy this list and don't want to alienate myself by lashing out at
    anyone (I know you're in the To field David and I was responding to your
    email, but this wasn't directed at you), so I appologize if I've rubbed
    anyone the wrong way.

    --
    Mason
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: David Lang: "Re: [fw-wiz] The home user problem returns"

    Relevant Pages

    • Re: Publishing Nimda Logs
      ... consider the impact of Nimda on your server. ... Some cable modem ISPs blocked incoming port 80 traffic when Nimda first hit. ... Their TOS prohibited their customers from running a server, ... trying to find out about security problems ...
      (Incidents)
    • RE: Nimda et.al. versus ISP responsibility
      ... versus ISP responsibility ... You cannot expect ISPs to stay on top of every protocol and every ... Systems and network security must not be an option and it must not be ... Customers must not even have to ask for security. ...
      (Incidents)
    • Re: Administrivia: Discussion - Making this list subscriber-only
      ... filters are not a good solution. ... people complain to their ISPs. ... I'm even willing to donate my blocklist to the FreeBSD group. ... My Postfix installation checks my own blocklist first, ...
      (FreeBSD-Security)
    • Re: Another one bites the dust...
      ... alt.binaries.* and put some filters in place, ... just to wash their hands completely. ... As for the ISPs, they fear that if ... There are many good servers out there. ...
      (news.software.readers)