Re: ISP firewalling of residential customers - was - About Port Forwarding, Apache and Firewall Rules

["Paul D. Robertson" <paul () compuwar net>]

On Wed, 1 Sep 2004, Mason wrote:

> In discussions within my department, we find ourselves torn between a desire
> to be transparent to our customers, our knowledge of the what is "out
> there" (spam, worms, phishing, etc), and the feeling that we need to do more
> to protect our customers (absence of funds and man-power always figure
> heavily into this as well...).

If it's explained well, my conjecture is that most customers will want
protection...

> Our quandary is that we are the little guy and we fear that implementing any
> such restrictive policy would kill us.  Our customers are accustomed to
> largely unrestricted access to the net and our formidable competition is
> highly unlikely to take similar steps in protecting their network which would
> of course make them look pretty rosy by comparison.

Most of your customers likely don't know the difference- being in the
technology field, and knowing the difference, we likely project that on to
our users more than is quite accurate- mostly users know X works or Y is
broken...

> Anyone have any brilliant ideas...?  It's really unfortunate that we feel our
> hands are tied; most of this mess could be dealt with if we were able to get
> a bit more involved in our customers' access to the net.

Here's what I'd do-

Take a small block of addresses, and implement ingress *and* some basic
egress filtering.  Offer it as "protected network access" with a few
informational documents- either figure out which of your customers is
trojaned (irc without a "real" nickname) and offer it to them along with
some advice on cleaning up, or just offer it-

If you can't get management to support that- then go whole hog- offer them
a plan where "protected Internet access" is an extra $5-$10 a month, but
that allows you to get a firewall and do static addresses to spend some
time on individual rules- then have them do some market research to see if
it'd fly.

Most people aren't technical and want to feel protected.  This is an
advantage that we should *all* be using in explaining firewalling.  When I
left my last employer, I was really surprised at the number of folks who
understood "You can't do X" was my way of protecting the company, not my
way of keeping them from doing new things- but I'd probably explained it a
gazillion times over.

> > Contrary to popular opinion, full access to the Internet is neither a
> > god-given right, nor a necessity.
> The big issue from a business standpoint is that popular opinion seems to
> rule...  I wish that we could do what is right rather than what is popular -
> it would make this feel more like network adminstration than politics...

Comcast has started filtering.  I think egress filtering port 25, and
having users relay is pretty reasonable these days.  Just have a low-cost
(that's for the bueiness) way for folks to opt out.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards