Re: A question for the list...

[Dave Booth <dbooth () carlson com>]

Luc Pardon wrote:
>  We're talking about (a pound of) cure, how about (an ounce of)
> prevention?
>
>   There seems to be consensus that (lack of) competence is part of the
> problem.. If ISP's would/could take on more responsibility, the need for
> hack-back would be greatly reduced, making discussion if it's nice or
> not futile, so maybe the following is even on topic ;-)
>
>   Id be interested in the opinion of the community (particularly ISP's)
> on a scheme like this: 

I can see ISPs that work this way losing lots of accounts when any
protocol that involves server-side callbacks breaks. You cant really
expect the average road-warrior to know which ports to open in order
to enable their corporate VPN tunnel, for example. There would have to
be some kind of stateful inspection of traffic at the ISP to determine
if an active ftp callback, or the establishment of a tunnel, or an IRC
DCC session is somehow "expected" and should be allowed or is just a
generic incoming connection that should be dropped.

Thats a nasty overhead to ask a small ISPs network kit to bear and the
bigger the ISP the nastier it gets.

On the other hand, lots of attacks depend on spoofed traffic and we've
all read both the rants about ISPs who dont filter out the martians
and ISPs screaming about how they cant afford to do anyting about it.
The ISP does have to pay for any filtering they do so how about
requiring all customers to have egress filtering? If the customer cant
or wont do this then they can pay the ISP a little extra to have the
ISP apply the required filters to their connection. Of course we'd
have to "encourage" good behaviour in the customers that handle their
own filtering by putting a penalty clause in there. Generate martians
after you said you wouldnt and your next months bill would include a
much steeper fee for the filtering - say 3 times the amount it would
be if you'd asked them to do it up front? I'm confident enough in my
egress filtering to put my money where my mouth is and I suspect most
readers of this list are in a similar position. Just a thought....

-- 
Dave Booth
dbooth () carlson com
+----------------------------------------------------------------+
| Trouble rather the tiger in his lair than the sage amongst his |
| books, for to you kingdoms and their armies are things mighty  |
| and enduring but to him they are the toys of the moment, to be |
| overturned by the flicking of a finger.                        |
+----------------------------------------------------------------+


----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------