Oh, I can't leave this one alone, nope. I've snipped judiciously, hope the sense stays in. Travis Pugh wrote:
----- Original Message ----- From: "Christian Kuhtz" <ck@arch.bellsouth.net>
The problem of security threats & resulting incidents is going to get considerably worse before it gets better. And that's for at least two reasons.. the ramp up of broadband and presumably the declining sophistication of the subscriber population as a result of the greater market penetration.
Sure, but this has been true since the september that never ended, but read on, macduff.
Lack of security knowledge is also a huge problem in the collocation market.
I don't see the broadband issue fixing itself without some built-in stateful inspection firewall in the CPE itself -- if the customer has to pay for an additional piece of hardware or software, it will instantly reduce penetration.
Ah, here's where it starts. You know, there are indeed a lot of clueless wonders out there on the other end of a DSL pipe, or cable modem. Hell, some of them are on this list. ;-} It doesn't mean that I want or need the protection you are offering. Personally, I'd be happy to abide by a TOS that said you have to fix your broken machines, or you lose your access, AND we will bill you for the clean up costs.
If you can do what you need from a firewalling standpoint on the CPE, it makes life a lot easier. If you can provide a default firewall installation on your choice of CPE, configuration scaling becomes much easier.
Works fine for CoLo. You going to make me put in some kind of firewall on my network at home? No thanks, I want that direct connection. I REQUIRE it, unfiltered, for what I do. Nothing wrong with offering this (I think a couple of DSL providers had a reduced price on a sonicwall for a while). Nothing wrong with links on a page that provide the latest security patches for the most common OSes (red hat linux and windows 2k spring to mind).
I'd think that a good default stance would be to block all incoming TCP connections that aren't part of an established session, for all broadband customers.
How nice for you to make that choice for me. No thanks.
Most of them would never notice, as email and http still work.
Bet you are wrong here. I have something called business class DSL (how you can think that DSL is business class is beyond me, but it's fine and dandy for my purposes), but I know a LOT of gamers that might not be too happy with your suggestions.
However, at the scale you're talking about, I don't see blocking anything on the aggregation device itself ... it'd have to happen in the CPE, since firewall rules are going to have to be customized for clients who do need to run servers on their LAN.
This is just so shortsighted. What I'd like to see is the large service providers having some sort of point of contact for issues like this. I see tons of hits still from pacbell and concentric (you'd expect me to see a lot from concentric, since that's the IP space I'm in), and none of them seem to disappear. I'm sure that with the THOUSANDS of affected machines in those spaces that administrators for the networks are just swamped trying to track them down. [snipped a whole bunch of well-meaning stuff that jumped my blood pressure about a hundred points]
Run an abuse department that responds quickly to customers, and to other providers, within limits. 24 x 7 is necessary, responding instantly to black ice freaking out because someone ran nmap past it is not.
This is a good point, and similar to what I just said. The problem is: How do you (the abuse department) tell the difference between blackice or snort logs, and someone who has a valid problem that needs to be addressed? Feh. Enough. It just doesn't have easy solutions, but then, what does? -- Open source should be about giving away things voluntarily. When you force someone to give you something, it's no longer giving, it's stealing. Persons of leisurely moral growth often confuse giving with taking. -- Larry Wall