Re: [fw-wiz] The home user problem returns

From: David Lang (
Date: 09/14/05

  • Next message: Chris Blask: "Re: [fw-wiz] The home user problem returns"
    Date: Wed, 14 Sep 2005 00:43:08 -0700 (PDT)

    On Wed, 14 Sep 2005 wrote:

    > So, getting back to whether ISPs should be involved in the security stack
    > at all? As is obvious from this thread, even some security people are
    > unsure whether ISPs should be anything but a transparent pipe to the net.
    > I'm still rather surprised and a little disappointed to hear this. Why is
    > there concern over blocking really basic automated crap that has no
    > business being on any network? Especially considering that most of the
    > home users that security people always complain about are the ones sitting
    > on the ISP's network. Is there some assumption that clueful security folk
    > make up a large percentage of an ISP's customer base? Is that why ISPs
    > should just let all the crap through? Because if that's the case, if all
    > the users out there really know how to defend themselves, then Marcus is
    > right, we are wasting our breath - everyone knows this stuff. So, the
    > reason we are seeing all these massive worm infections and bot nets
    > sending spam is because we let them do it - it keeps us all employed.
    > All sarcasm aside, why do people keep clinging to the idea of a completely
    > transparent pipe? I don't get it. Does is have something to do with some
    > badly twisted idea of free speech? Why do you think that just because
    > .0001% of the user population knows how to defend themselves, that
    > everyone else should be made to suffer? I'm appologize in advance for
    > being accusatory, but that's selfish and self centered.

    in part it's becouse I had an ISP that claimed to be 'protecting' me. it
    ended up being so bad that I changed ISP's (in reality they weren't
    providing much protection against anything except their pricing plan and
    oversubscription percentages)

    >> having filtering like this as an option (even as a default option) is a
    >> good thing, but deciding that it should be the ONLY option and that I
    >> shouldn't be able to get an unfiltred connection if I want one is
    >> something VERY different.
    > You know what. Given that you really are only .0001% of the ISP customer
    > base, if you were to phone me up and say that you were really into
    > computer security and wanted to setup a honey net or something like that
    > so that you could watch and learn and I got the impression that you were
    > for real, I'd make an exception in my ruleset for you. I'd also tell you
    > that if I got a single complaint regarding traffic from your IP, you'd be
    > right back to where you started.

    I wouldn't have a problem with this, however I expect that most ISP's
    wouldn't be willing to make exceptions like this (just look at the
    anti-spam filtering today, getting the ISP to disable spam filtering so
    that you can do it if you think you can do a better job then the ISP is
    very much an uphill fight with many ISP's)

    > I don't think I'm pulling the arrogant, control freak sysadmin / BOFH role
    > here. The basic filters that are in place right now should be in place on
    > every ISP on the planet. They do not impede any legitimate traffic at all
    > and offer very real benefits to our customers and us. It is my strong
    > opinion that ISPs can and should be doing more to help, "reduce the noise
    > to manageable levels." I know that this is not a list for ISP network
    > admins, so perhaps I'm "wasting my breath", but perhaps this rant can be
    > construed as more user education. You're sharing the net with people that
    > are practically helpless, please ease up a bit and understand that some
    > simple actions on the part of the ISP are going to help everyone.

    I don't think that there are many (if any) who are saying that it would be
    evil to offer filtering (even if it's on by default), but the second half
    of the issue is the ISP being willing to turn it off for that small
    percentage of customers who need it off, and our past experiances with
    ISP's warns us that this is not something that will be available by
    default (I refer to the earlier poster who had to build a windows box to
    register his cablemodem as an example)

    as long as there is an option to disable this filtering when appropriate
    then go for it, I hope you suceed.

    > I enjoy this list and don't want to alienate myself by lashing out at
    > anyone (I know you're in the To field David and I was responding to your
    > email, but this wasn't directed at you), so I appologize if I've rubbed
    > anyone the wrong way.

    no offense taken.

    David Lang

    > --
    > Mason

    There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
      -- C.A.R. Hoare
    firewall-wizards mailing list

  • Next message: Chris Blask: "Re: [fw-wiz] The home user problem returns"

    Relevant Pages

    • Re: Gallery 1.3.3
      ... I am forwarding this response from the Author of Gallery who posted ... Recently there was a post on BugTraq, that referred to a security hole ... was refers to is the fact that on a shared webserver it's possible for ... webserver is managing data for you via a web interface and your ISP ...
    • Re: Raw Sockets in WinXP
      ... > endangering the rest of the net, the ISP will have to fix their ... us to make their site secure. ... security with the amount of knowledge expected by that manual. ... Steps to securing Windows NT 4.0 ...
    • Re: security based on IP address
      ... I agree with you that your ISP very likely provides an internet protocol ... My cable modem provider required a MAC ... his name with an IP address from security forum posts and IRC chats, ...
    • Re: SNMP Scans 02/17/02
      ... sc> security problems on the net today. ... Every router knows what addresses to expect to be inside vs ... sc> an ISP won't configure their equipment properly, ... The backbone is not a stub network. ...
    • Re: newby isp questions
      ... >I have and ADSL modem connecting to an ISP. ... >- The ADSL modem will connect to a Firewall box. ... Looking from the security side, ...