Security Incidents mailing list archives
RE: A question for the list...
From: Luc Pardon <lucp () skopos be>
Date: Wed, 21 May 2003 11:42:06 +0200
We're talking about (a pound of) cure, how about (an ounce of) prevention? There seems to be consensus that (lack of) competence is part of the problem.. If ISP's would/could take on more responsibility, the need for hack-back would be greatly reduced, making discussion if it's nice or not futile, so maybe the following is even on topic ;-) Id be interested in the opinion of the community (particularly ISP's) on a scheme like this: * ISP would block all ports for incoming traffic by default, at least for residential customers, and preferable for corporate customers as well. * ISP would open up ports on request, in return for a declaration that the customer is aware of the issues and agrees that the port be closed again in case of compromise. This should defend the ISP against damage claims, an often-cited reason for not taking action on infected systems. Suitable procedures could be defined to protect a compentent customer against arbitrary port closure by clueless ISP personnel. Like: when compromise is suspected, customer gets x hours after notification to take action. * Such opening up of some standard ports (e.g. 80) would be subject to a simple request procedure, like filling out a form,, but not too simple. E.g. the applicant would have to type in a list of ports rather than just clicking some "do you want a foobar server" checkboxes. This could serve as a minimalistic display of competence. Like: if you don't know what port a foobar server uses, you have no business running one. * Opening up standard ports would be a no-charge option if requested at account setup, and subject to a symbolic fee after that. This would help responsible ISP's remain competitive with others that impose no such restrictions. In fact, they could actually advertise it as a service: "free protection" (if carefully phrased so it doesn't backfire). * Opening of less-standard ports (those that a "normal" system would not be expected to run services on, e.g. 137) would require more proof of commitment and/or competence by the customer. Suitable definitions of "normal system" and "proof of competence" to be supplied, "proof of commitment" could include higher fees. I am aware that most ISP's are operating within tight budgets, I am less aware of the impact of such a scheme on costs. One benefit for the ISP would be a reduced load on abuse@.. A benefit for the customer would be reduced maintenance and clean-up costs. The benefits for the community are obvious. What do you think ? Luc Pardon Skopos Consulting Belgium ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
Current thread:
- Re: A question for the list..., (continued)
- Re: A question for the list... De Velopment (May 19)
- RE: A question for the list... Rob Shein (May 19)
- Re: A question for the list... Andy Shelley (May 20)
- RE: A question for the list... John McCracken (May 20)
- Re: A question for the list... Anders Reed Mohn (May 20)
- RE: A question for the list... Dave Sharp (May 20)
- Re: A question for the list... Ray Stirbei (May 21)
- RE: A question for the list... Bojan Zdrnja (May 26)
- Re: A question for the list... Ray Stirbei (May 21)
- Re: A question for the list... Steven (May 20)
- Re: A question for the list... Chip Mefford (May 21)
- RE: A question for the list... Luc Pardon (May 21)
- Re: A question for the list... Keith W. McCammon (May 22)
- Re: A question for the list... Steve Barnet (May 22)
- Re: A question for the list... Gary Flynn (May 23)
- Re: A question for the list... Valdis . Kletnieks (May 25)
- Re: A question for the list... Dave Booth (May 22)
- Re: A question for the list... Kevin Reardon (May 22)
- Re: A question for the list... Brian Finn (May 22)
- Re: A question for the list... Kevin Reardon (May 23)
- Re: A question for the list... Brian Finn (May 22)
- RE: A question for the list... King, Brian (May 22)
- Re: A question for the list... Kevin Reardon (May 23)