Re: Would you pay more ...

["Steve" <securityfocus () delahunty com>]

To take what Charley notes about most users not understanding ports, and I
agree with that, is that someone who truly understands the service you are
proposing could do it better with a router/firewall.  For instance the
Linksys and other cable modem / dsl modem routers will allow you to only
open up certain ports.  A simple router can block ports using a proper ACL.

I block anything inbound to my home network, and only allow return ports
open for communications that start from inside the network.

As noted, I think the service to automatically patch the home consumer's
system might be worthwhile.  Also consider monitoring like how managed
security providers monitor, mini network intrusion detection, hosted based
intrusion detection.


----- Original Message ----- 
From: "Charley Hamilton" <chamilto () uci edu>
To: <security-basics () securityfocus com>
Sent: Tuesday, July 06, 2004 8:56 AM
Subject: Re: Would you pay more ...


> Would you pay more to only have the following destination ports open
> to the internet originating from your broadband modem:

Actually, as a consumer, I'd pay less.  However, I am semi-advanced
(i.e. I can get into deeper trouble more creatively) and I *like*
having other ports available to cycle my various connections through.
Controlling the inbound/outbound ports at both my office (personal) firewall
and my home firewall gives me a (somewhat miguided) sense of security
through
obscurity.  The script kiddies who just hunt the "regular" target ports
don't bother my connectivity apps.  And if they do hit the right port, their
IP gets dropped by the ruleset anyway.  And if it doesn't they fail the
authentication....

If only "standard" ports became available, a lot of people who are
unwilling to pay more for the "business" service (because we aren't a
business!) just to get access to those other ports will be forced to either
"misuse" standard ports by running nonstandard apps on them (okay misuse is
probably the wrong word there) or give up connectivity options that they
already have.

The danger I see to offering such "secure by design" service is
that it's not actually all that much more secure and is, in the end, more a
marketing ploy than anything else.  Most users wouldn't know a trojan
on a "standard port" from one on a random port.  In fact, I will venture
that most users (to some extent like me) don't really grok what a port is
anyway.  They just run antivirus and expect it to get everything.
Including windoze patches.  Would the ISP then take to scanning the
approved ports for unusual activity?  What's the savings of running
through only those ports instead of all of them?  How badly is my user-ness
showing?  ;-)

> ALTERNATIVELY, would you like it if this was the STANDARD package and
> additional ports were considered optional, and required payment.

How much more do you pay?  By what argument are you justifying the
additional
cost, given that most individuals who would actually *know* about and
*want* additional ports are typically smart enough to operate some sort of
firewall.  It seems those who operate a firewall should be offered a
discount....  Hrm, I wonder how my ISP would react to that idea?  ROTFL,
I expect.

I suspect that a more *useful* service would be offering a "secure
configuration" service --- at a "nominal fee" --- to users where the
ISP sets up a system to auto-update (e.g. windoze) patches, configure
firwalls, etc.  Make the charge cost-defraying instead of a revenue source.
That will keep the extra charges low.  Don't charge the users extra to make
a "firewall" out of their modems.  If you call it "Package 2 -- Improved
security!  No extra charge!", the users will think they're putting one over
on the ISP and getting something for nothing.  They feel like they won, the
ISP gets to restrict the ports open to the net from many subscribers, and
those who know enough to be dangerous get to play with fire.

As usual, just my $0.02.

Charley

-- 
Charles Hamilton, PhD EIT               Faculty Fellow
Department of Civil and                 Phone: 949.824.3752
     Environmental Engineering           FAX:   949.824.2117
University of California, Irvine        Email: chamilto () uci edu



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------