Re: SP's & network security issues

[Etaoin Shrdlu <shrdlu () deaddrop org>]

Oh, I can't leave this one alone, nope. I've snipped judiciously, hope the
sense stays in.

Travis Pugh wrote:
> ----- Original Message -----
> From: "Christian Kuhtz" <ck () arch bellsouth net>

> > The problem of
> > security threats & resulting incidents is going to get considerably worse
> > before it gets better.  And that's for at least two reasons.. the ramp up
> of
> > broadband and presumably the declining sophistication of the subscriber
> > population as a result of the greater market penetration.

Sure, but this has been true since the september that never ended, but read
on, macduff.

> Lack of security knowledge is also a huge problem in the collocation market.

> I don't see the broadband issue fixing itself without some built-in stateful
> inspection firewall in the CPE itself -- if the customer has to pay for an
> additional piece of hardware or software, it will instantly reduce
> penetration.

Ah, here's where it starts. You know, there are indeed a lot of clueless
wonders out there on the other end of a DSL pipe, or cable modem. Hell,
some of them are on this list. ;-} It doesn't mean that I want or need the
protection you are offering. Personally, I'd be happy to abide by a TOS
that said you have to fix your broken machines, or you lose your access,
AND we will bill you for the clean up costs.

>  If you can do what you need from a firewalling standpoint on
> the CPE, it makes life a lot easier.  If you can provide a default firewall
> installation on your choice of CPE, configuration scaling becomes much
> easier.

Works fine for CoLo. You going to make me put in some kind of firewall on
my network at home? No thanks, I want that direct connection. I REQUIRE it,
unfiltered, for what I do. Nothing wrong with offering this (I think a
couple of DSL providers had a reduced price on a sonicwall for a while).
Nothing wrong with links on a page that provide the latest security patches
for the most common OSes (red hat linux and windows 2k spring to mind).

> I'd think that a good default stance would be to block all incoming TCP
> connections that aren't part of an established session, for all broadband
> customers.

How nice for you to make that choice for me. No thanks.

>  Most of them would never notice, as email and http still work.

Bet you are wrong here. I have something called business class DSL (how you
can think that DSL is business class is beyond me, but it's fine and dandy
for my purposes), but I know a LOT of gamers that might not be too happy
with your suggestions.

> However, at the scale you're talking about, I don't see blocking anything on
> the aggregation device itself ... it'd have to happen in the CPE, since
> firewall rules are going to have to be customized for clients who do need to
> run servers on their LAN.

This is just so shortsighted. What I'd like to see is the large service
providers having some sort of point of contact for issues like this. I see
tons of hits still from pacbell and concentric (you'd expect me to see a
lot from concentric, since that's the IP space I'm in), and none of them
seem to disappear. I'm sure that with the THOUSANDS of affected machines in
those spaces that administrators for the networks are just swamped trying
to track them down.

[snipped a whole bunch of well-meaning stuff that jumped my blood pressure
about a hundred points]

> Run an abuse department that responds quickly to customers, and to other
> providers, within limits.  24 x 7 is necessary, responding instantly to
> black ice freaking out because someone ran nmap past it is not.

This is a good point, and similar to what I just said. The problem is:

How do you (the abuse department) tell the difference between blackice or
snort logs, and someone who has a valid problem that needs to be addressed?

Feh. Enough. It just doesn't have easy solutions, but then, what does?

--
Open source should be about giving away things voluntarily. When
you force someone to give you something, it's no longer giving, it's
stealing. Persons of leisurely moral growth often confuse giving with
taking.    -- Larry Wall