Firewall Wizards mailing list archives
Re: ISP firewalling of residential customers - was - About Port Forwarding, Apache and Firewall Rules
From: "Paul D. Robertson" <paul () compuwar net>
Date: Wed, 1 Sep 2004 07:04:12 -0400 (EDT)
On Wed, 1 Sep 2004, Mason wrote:
In discussions within my department, we find ourselves torn between a desire to be transparent to our customers, our knowledge of the what is "out there" (spam, worms, phishing, etc), and the feeling that we need to do more to protect our customers (absence of funds and man-power always figure heavily into this as well...).
If it's explained well, my conjecture is that most customers will want protection...
Our quandary is that we are the little guy and we fear that implementing any such restrictive policy would kill us. Our customers are accustomed to largely unrestricted access to the net and our formidable competition is highly unlikely to take similar steps in protecting their network which would of course make them look pretty rosy by comparison.
Most of your customers likely don't know the difference- being in the technology field, and knowing the difference, we likely project that on to our users more than is quite accurate- mostly users know X works or Y is broken...
Anyone have any brilliant ideas...? It's really unfortunate that we feel our hands are tied; most of this mess could be dealt with if we were able to get a bit more involved in our customers' access to the net.
Here's what I'd do- Take a small block of addresses, and implement ingress *and* some basic egress filtering. Offer it as "protected network access" with a few informational documents- either figure out which of your customers is trojaned (irc without a "real" nickname) and offer it to them along with some advice on cleaning up, or just offer it- If you can't get management to support that- then go whole hog- offer them a plan where "protected Internet access" is an extra $5-$10 a month, but that allows you to get a firewall and do static addresses to spend some time on individual rules- then have them do some market research to see if it'd fly. Most people aren't technical and want to feel protected. This is an advantage that we should *all* be using in explaining firewalling. When I left my last employer, I was really surprised at the number of folks who understood "You can't do X" was my way of protecting the company, not my way of keeping them from doing new things- but I'd probably explained it a gazillion times over.
Contrary to popular opinion, full access to the Internet is neither a god-given right, nor a necessity.The big issue from a business standpoint is that popular opinion seems to rule... I wish that we could do what is right rather than what is popular - it would make this feel more like network adminstration than politics...
Comcast has started filtering. I think egress filtering port 25, and having users relay is pretty reasonable these days. Just have a low-cost (that's for the bueiness) way for folks to opt out. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- ISP firewalling of residential customers - was - About Port Forwarding, Apache and Firewall Rules Mason (Sep 01)
- Re: ISP firewalling of residential customers - was - About Port Forwarding, Apache and Firewall Rules Paul D. Robertson (Sep 01)
- RE: ISP firewalling of residential customers - was - About Port Forwarding, Apache and Firewall Rules Jonathan Rickman (Sep 02)
- RE: ISP firewalling of residential customers - was - About Port Forwarding, Apache and Firewall Rules Paul D. Robertson (Sep 02)