RE: ISP firewalling of residential customers - was - About Port Forwarding, Apache and Firewall Rules

["Jonathan Rickman" <jonathan () xcorps net>]

> I think that ISPs are going to have to do something like this 
> eventually simply due to the massive amount of crap that our 
> networks get hit with at all times and the fact that user 
> education concerning patching, firewalls and antivirus just 
> isn't moving along all that well.

By far, the best compromise is to filter at the customer end point. At least
one fairly large ISP now ships a broadband gateway with the firewall
preconfigured. The customer is free to alter the filters if so inclined, but
we all know that the default configuration will remain in place 99.9% of the
time. There is a risk of tech support calls with this just like any other
setup. However, this policy seems to me to be the most equitable across the
board. The trick is getting the proper ruleset in place. For instance, the
aforementioned ISP did not enable outbound TCP 1494, which caused a problem
for telecommuters using Citrix without going through CSG. With the proper
research, this would have been avoidable. They also failed to put a workable
management system in place to remedy this problem. Both mistakes you should
take note of. 

--
Jonathan

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards