Security Incidents mailing list archives

RE: ISP Filtering (Survey of Sorts)


From: "Jason Lewis" <jlewis () jasonlewis net>
Date: Thu, 31 May 2001 20:55:34 -0400

Part of the problem is that some of the larger ISP's have so many peers that
it make it difficult to do egress/ingress filtering at the core.  Another
concern is network performance...all those ACL's affect router performance
and if they have to choose between a router upgrade and your filters.....
guess what wins.

I am aware of lists of ports that ISP's filter, but not lists of client
requested filters.  I would imagine a good ISP would filter traffic to your
pipe if you requested it.  If they are managing your equipment, I don't see
why they wouldn't.  I manage my own equipment....Are you referring to my
connection to my ISP on their equipment?

Are these RFC1918 addresses spoofed?  It would seem that most ISP's would
filter that address space, but sometimes it is the old "Someone else will do
it" excuse.

FWIW...you are dealing with Verizon.  In my experience, they don't have the
level of customer service that you would expect from a company that large.

I use C&W and they have been responsive to all my requests.  Let me qualify
that and say I haven't asked for any filtering.  My BGP setup went rather
smooth though.

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure". The people at the
other end of the link know less about security than you do. And that's
scary.




-----Original Message-----
From: McCammon, Keith [mailto:Keith.McCammon () eadvancemed com]
Sent: Thursday, May 31, 2001 1:10 PM
To: 'incidents () securityfocus com'
Subject: ISP Filtering (Survey of Sorts)


A few questions:

1) Does anyone know of a list of known security-conscious ISP's (for larger
corporate circuits) that are known for providing basic security services
(ingress/egress filters, RFC1918's, and client-specific filter requests) to
customers without hassle.

2) Does anyone else have an ISP that, by policy, will not filter upstream?
I've got Verizon, and I've been having some infrequent correspondence with
them regarding filtering and it has been denied all the way up the chain.
I'm getting kind of tired of seeing thousands of matches on my access-lists
against RFC1918 rules and such that I would assume should be filtered by any
semi-responsible ISP.

Just curious if there are greener pastures...

Thanks,

Keith W. McCammon
Sr. Network Engineer
AdvanceMed Corporation
11710 Plaza America Drive
Reston, VA 20190
Phone: 703.261.4891
Fax: 703.261.5300


Current thread: