RE: ISPs with more secure networks???

["Ames, Neil" <NAmes () anteon com>]

That said, I have heard and read good things about Savvis (www.savvis.com) as trying to provide a more sane 
network--beyond managing your firewall for you.  I have never worked with them, so I can't vouch for their success in 
achieving that goal.  I, like Paul, am a bit skeptical, but I'd check them out.


--Fritz

-----Original Message-----
From: Paul Robertson [mailto:proberts () patriot net]
Sent: Wednesday, July 23, 2003 9:01 AM
To: Tony Miedaner
Cc: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] ISPs with more secure networks???


On Tue, 22 Jul 2003, Tony Miedaner wrote:

> Hi,
>
> Somewhat off topic but
>
> Has anyone heard of ISP's with arrangements that enforce any type of 
> security requirements within their agreements for the connected customers 
> as well as providing an SLA that allows a company to restrict access inbound.

Most large ISPs have too much aggragate traffic to do per-customer 
filtering anywhere other than the leaf node to the customer.  Most will 
provide managed firewalling for customers for a price[1].

> My thought is an arrangement that allows only US based network blocks 
> access to the network (i.e., the customers network).

I haven't looked for statistics recently, but most non-automated attack 
traffic used to originate in the US, so I'm not sure that's a win ;)

> Even a tiered access arrangement that allowed US (for instance) based 
> networks x bandwidth and other international networks y bandwidth.
>
> Or even better customers agreeing to the networks agreements getting full 
> access to each other and then all others are filtered one way or another 
> (i.e. firewall, routing, filtering or other).   The obvious assumption here 
> is that the customers are security conscious.

The more unlikely and not so obvious assumption here is that customers 
would actually want to pay for such a feature.  Suddenly you're dealing 
with thousands of customers who all want their own special rulesets, 
procedures for who can update those rulesets, etc.  It's certainly done in 
the managed services arena, but with per-customer infrastructure for the 
most part- that means more power, more administrators, more rack space, 
more phone lines...  That gets expensive, and complex pretty quickly, and 
unlike most managed services business, this would have to happen at the 
ISP's facilities to be useful (otherwise, you could just filter at your 
router, do QoS at your router or firewall and call it a day, no reason 
to involve the ISP.)

> I guess I am getting sick of these folks that don't control what is coming 
> out of their networks and would prefer to see the ISP at least taking a 
> shot at limiting it.

I'd take a stab in the dark that probably less than 1% of user networks 
control traffic that egresses their borders, and then maybe 1% of that is more 
than source address limitations.  Even in that case, almost all allow 
outbound HTTP, so things like Code Red, NIMDA, etc. will still get out.

If you were to do address or AS-based filtering, you'd limit who you could 
talk to quite severely, and I'm not sure you'd be able to deal well with 
them changing ISPs.  If you're going to do that, doesn't it make more 
sense to put globally accessable resources at a colocation facility 
somewhere, then limit your own outbound traffic to the few places you need 
to talk to, and your inbound traffic to ACKs from that, DNS and SMTP?  

Naturally, you'll have the same user resistance that people at the other 
end have, and it's likely that the scheme won't last too long. 

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
[1] TruSecure sells managed services offerings.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards