Re: ISP Filtering (Survey of Sorts)

[Brett Glass <brett () lariat org>]

At 11:09 AM 5/31/2001, McCammon, Keith wrote:
  
> A few questions:
>
> 1) Does anyone know of a list of known security-conscious ISP's (for larger
> corporate circuits) that are known for providing basic security services
> (ingress/egress filters, RFC1918's, and client-specific filter requests) to
> customers without hassle.

LARIAT, which is a non-profit community network, will do this for members
upon request (and we do it automatically for members using the dial-ups).
However, our business members with high-speed links often want to take 
responsibility for their own destinies. If so, we let them. 

We still do some monitoring, though. It's scary how frequently a small 
business will get a hotshot employee who claims to know his network
administration but really knows just enough to put the company in grave
danger. Usually, he'll put up a brand-spanking-new NT/Win2000 box and/or 
a vulnerable version of Linux... and is hit by hackers or the Ramen worm, 
respectively, in short order. If we see that this has happened, we
reserve the right to block the packets or shut down the link.

> 2) Does anyone else have an ISP that, by policy, will not filter upstream?
> I've got Verizon, and I've been having some infrequent correspondence with
> them regarding filtering and it has been denied all the way up the chain.
> I'm getting kind of tired of seeing thousands of matches on my access-lists
> against RFC1918 rules and such that I would assume should be filtered by any
> semi-responsible ISP.

There are a few "IP purists" who believe that the Net should be as dumb
as possible in order to be fast. They're mainly left over from the days
of the friendly, academic Internet where no accountability was required
because folks were well-behaved. In real life, of course, we don't fire
all of our policemen just because we have locks on our doors.

--Brett