Firewall Wizards mailing list archives
Re: Re: ISP firewalling of residential customers - was - About Port Forwarding, Apache and Firewall Rules
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Wed, 1 Sep 2004 22:19:27 +0530
On 01/09/04 07:04 -0400, Paul D. Robertson wrote:
On Wed, 1 Sep 2004, Mason wrote:In discussions within my department, we find ourselves torn between a desire to be transparent to our customers, our knowledge of the what is "out there" (spam, worms, phishing, etc), and the feeling that we need to do more to protect our customers (absence of funds and man-power always figure heavily into this as well...).If it's explained well, my conjecture is that most customers will want protection...Our quandary is that we are the little guy and we fear that implementing any such restrictive policy would kill us. Our customers are accustomed to largely unrestricted access to the net and our formidable competition is highly unlikely to take similar steps in protecting their network which would of course make them look pretty rosy by comparison.Most of your customers likely don't know the difference- being in the technology field, and knowing the difference, we likely project that on to our users more than is quite accurate- mostly users know X works or Y is broken...
My current ISP offers a default inbound firewall. I have to opt out of their blacklist (and deposit $large sum for it). I still end up with having the Cisco Pix SMTP proxy in front of my Postfix box, and ssh sessions dying out. The only reason I am with them is that I didn't have a better choice until now. Now I have a possibly better choice and I might move if the other ISP gets a small amount more of clue (they are a telco so not much hope for that, but that is something I can work around).
Anyone have any brilliant ideas...? It's really unfortunate that we feel our hands are tied; most of this mess could be dealt with if we were able to get a bit more involved in our customers' access to the net.Here's what I'd do- Take a small block of addresses, and implement ingress *and* some basic egress filtering. Offer it as "protected network access" with a few informational documents- either figure out which of your customers is trojaned (irc without a "real" nickname) and offer it to them along with some advice on cleaning up, or just offer it- If you can't get management to support that- then go whole hog- offer them a plan where "protected Internet access" is an extra $5-$10 a month, but that allows you to get a firewall and do static addresses to spend some time on individual rules- then have them do some market research to see if it'd fly.
Or the other way round. Firewalled by default, with no ingress and limited egress.
Most people aren't technical and want to feel protected. This is an advantage that we should *all* be using in explaining firewalling. When I left my last employer, I was really surprised at the number of folks who understood "You can't do X" was my way of protecting the company, not my way of keeping them from doing new things- but I'd probably explained it a gazillion times over.
On the other hand, the ISP network is for doing new things. I am not being paid to use the ISP network, I am paying for that. Any ISP that wants to say "don't do X" will be expected to justify it. If they can justify it, I am willing to continue with their service.
Contrary to popular opinion, full access to the Internet is neither a god-given right, nor a necessity.The big issue from a business standpoint is that popular opinion seems to rule... I wish that we could do what is right rather than what is popular - it would make this feel more like network adminstration than politics...Comcast has started filtering. I think egress filtering port 25, and having users relay is pretty reasonable these days. Just have a low-cost (that's for the bueiness) way for folks to opt out.
Or for those of us who have more clue than $generic ISP admin. ($generic admin example == someone who does not understand that *you do not take all your outbound MTAs down twice for three days each to upgrade them. You do it one at a time.*) Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- ISP firewalling of residential customers - was - About Port Forwarding, Apache and Firewall Rules Mason (Sep 01)
- Re: ISP firewalling of residential customers - was - About Port Forwarding, Apache and Firewall Rules Paul D. Robertson (Sep 01)
- Re: Re: ISP firewalling of residential customers - was - About Port Forwarding, Apache and Firewall Rules Devdas Bhagat (Sep 01)
- RE: ISP firewalling of residential customers - was - About Port Forwarding, Apache and Firewall Rules Jonathan Rickman (Sep 02)
- RE: ISP firewalling of residential customers - was - About Port Forwarding, Apache and Firewall Rules Paul D. Robertson (Sep 02)
- Re: ISP firewalling of residential customers - was - About Port Forwarding, Apache and Firewall Rules Paul D. Robertson (Sep 01)