Re: Re: ISP firewalling of residential customers - was - About Port Forwarding, Apache and Firewall Rules

[Devdas Bhagat <devdas () dvb homelinux org>]

On 01/09/04 07:04 -0400, Paul D. Robertson wrote:
> On Wed, 1 Sep 2004, Mason wrote:
>
> > In discussions within my department, we find ourselves torn between a desire
> > to be transparent to our customers, our knowledge of the what is "out
> > there" (spam, worms, phishing, etc), and the feeling that we need to do more
> > to protect our customers (absence of funds and man-power always figure
> > heavily into this as well...).
>
> If it's explained well, my conjecture is that most customers will want
> protection...
>
> > Our quandary is that we are the little guy and we fear that implementing any
> > such restrictive policy would kill us.  Our customers are accustomed to
> > largely unrestricted access to the net and our formidable competition is
> > highly unlikely to take similar steps in protecting their network which would
> > of course make them look pretty rosy by comparison.
>
> Most of your customers likely don't know the difference- being in the
> technology field, and knowing the difference, we likely project that on to
> our users more than is quite accurate- mostly users know X works or Y is
> broken...

My current ISP offers a default inbound firewall. I have to opt out of
their blacklist (and deposit $large sum for it). I still end up with
having the Cisco Pix SMTP proxy in front of my Postfix box, and ssh
sessions dying out.
The only reason I am with them is that I didn't have a better choice
until now. Now I have a possibly better choice and I might move if the
other ISP gets a small amount more of clue (they are a telco so not much
hope for that, but that is something I can work around).

> > Anyone have any brilliant ideas...?  It's really unfortunate that we feel our
> > hands are tied; most of this mess could be dealt with if we were able to get
> > a bit more involved in our customers' access to the net.
>
> Here's what I'd do-
>
> Take a small block of addresses, and implement ingress *and* some basic
> egress filtering.  Offer it as "protected network access" with a few
> informational documents- either figure out which of your customers is
> trojaned (irc without a "real" nickname) and offer it to them along with
> some advice on cleaning up, or just offer it-
>
> If you can't get management to support that- then go whole hog- offer them
> a plan where "protected Internet access" is an extra $5-$10 a month, but
> that allows you to get a firewall and do static addresses to spend some
> time on individual rules- then have them do some market research to see if
> it'd fly.

Or the other way round. Firewalled by default, with no ingress and
limited egress.

> Most people aren't technical and want to feel protected.  This is an
> advantage that we should *all* be using in explaining firewalling.  When I
> left my last employer, I was really surprised at the number of folks who
> understood "You can't do X" was my way of protecting the company, not my
> way of keeping them from doing new things- but I'd probably explained it a
> gazillion times over.

On the other hand, the ISP network is for doing new things. I am not
being paid to use the ISP network, I am paying for that. Any ISP that
wants to say "don't do X" will be expected to justify it. If they can
justify it, I am willing to continue with their service.

> > > Contrary to popular opinion, full access to the Internet is neither a
> > > god-given right, nor a necessity.
> > The big issue from a business standpoint is that popular opinion seems to
> > rule...  I wish that we could do what is right rather than what is popular -
> > it would make this feel more like network adminstration than politics...
>
> Comcast has started filtering.  I think egress filtering port 25, and
> having users relay is pretty reasonable these days.  Just have a low-cost
> (that's for the bueiness) way for folks to opt out.

Or for those of us who have more clue than $generic ISP admin.
($generic admin example == someone who does not understand that
*you do not take all your outbound MTAs down twice for three days each
to upgrade them. You do it one at a time.*)

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards