Firewall Wizards mailing list archives
Re: The home user problem returns
From: David Lang <david.lang () digitalinsight com>
Date: Tue, 13 Sep 2005 20:40:43 -0700 (PDT)
On Tue, 13 Sep 2005, Mason Schmitt wrote:
beside ingress and egress filtering, how much might ISP's suffer for correcting some of the windows network protocol errors by not passing ports 135-139, 445 and 5000 etc across perimiters? Or even allowing them to braodcast witin the ISP's realm? Certainly would work to neuter the M$ issues to a low noise level would it not?This is exactly the kind of ingress and egress filtering I'm talking about. We've avoided, by having these filters in place, some fairly nasty worm epidemics that wreaked havoc at other ISPs. None of the traffic typically associated with those ports has any business whatsoever moving beyond the confines of the home user's local network or any LAN for that matter. Again, for most networks, this is absolutely the wrong way to approach the problem, but for an ISP, those filters and anti spoofing filters have taken a big chunk out of the low hanging fruit.
there is a fundamental problem with the idea that the ISP should be responsible for protecting the end-user. namely real protection would mean that they only allow specific 'known good' things to work, but if you limit ALL users to just those existing known-good things you will block development of new things (both good and bad).
having filtering like this as an option (even as a default option) is a good thing, but deciding that it should be the ONLY option and that I shouldn't be able to get an unfiltred connection if I want one is something VERY different.
an unfiltered connection should cost less then a filtered one from a technical point of view, but I can see that this would just encourage everyone to get the unfiltered connection so I'm willing to pay the same rate as those who get filtered, what I'm not willing to do is have a $29/month cablemodem connection turn into a $89/month connection just becouse I don't want the filtering and therefor have to buy a 'business' version of the same service.
David Lang -- There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies. -- C.A.R. Hoare _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: The home user problem returns, (continued)
- Re: The home user problem returns Antonomasia (Sep 12)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- RE: The home user problem returns Brian Loe (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- RE: The home user problem returns Brian Loe (Sep 13)
- RE: The home user problem returns Marcus J. Ranum (Sep 13)
- RE: The home user problem returns Brian Loe (Sep 13)
- RE: The home user problem returns Brian Loe (Sep 13)
- Re: The home user problem returns Jim Seymour (Sep 13)
- RE: The home user problem returns R. DuFresne (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- Re: The home user problem returns David Lang (Sep 14)
- Re: The home user problem returns mason (Sep 14)
- Re: The home user problem returns David Lang (Sep 14)
- RE: The home user problem returns Bill Royds (Sep 13)
- RE: The home user problem returns Hile . William (Sep 22)
- RE: The home user problem returns Jim Seymour (Sep 13)
- RE: The home user problem returns Brian Loe (Sep 13)
- Re: The home user problem returns R. DuFresne (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- RE: The home user problem returns lordchariot (Sep 13)