On Sun, 26 Oct 2003 kenw@kmsi.net wrote:
A few things that make sense to me (as a non-ISP network consultant) include:
Most ISPs are relatively secure. Yes, occasionally a backbone router shows up on some list with a password of "cisco." The major problems are in the systems managed and installed on non-ISP networks (i.e. end-users).
1) Summarily fencing/sandboxing/disconnecting clients sending high volumes of spam, virii, etc. You might politely contact your commercial/static clients first, but anyone connecting a "bare" PC on a broadband circuit is too stupid to deserve coddling. The great majority of your clients would thank you profusely.
Really? Most users are angry when their network connection is interrupted for any reason, including their own mistakes. Read some of the articles in the university newspapers when students were cut of from the network after not fixing their computers. How many people thank police officers when they are stopped for speeding, reckless driving, drunk driving, burned out taillights, etc? Or instead how many say things like the police should be out catching "real" criminals (i.e. anyone other than them)? As a non-ISP consultant, when a client asks you to configure their Exchange server do you always conduct a top-to-bottom security analysis of the client's entire business infrastructure and refuse to do business with them until after they have corrected every deficiency? Or does the client just say screw you, and hires a different consultant that will do what the client wants?
2) Notwithstanding the above, would it really be so hard to trap network packets bearing clear signatures of the "plague of the month"? Sure, it would create an extra load on routers or require special filtering hardware, but wouldn't it be worth it? Again, no need to be comprehensive; just blast the ones that are easy pickings.
Routers (especially high end routers) are barely stable just routing packets. Some high-end line cards don't support even a simple 2-line access control list. With the market currently heading to the lowest price possible, increasing costs doesn't appear to pay even for the niche markets that are interested. Instead the extra equipment is installed where there are clients willing to pay for it. The easiest, most effective place to catch packets is at the edge/end-users. An end-user firewall is $0-$50. Anywhere in the core is very difficult. What is the cost of a single OC192 firewall? Look at the post office, it doesn't try to find Anthrax in most of the mail. Instead a few locations at the edge of the postal system, e.g. the White House, Congress, etc, have added security precautions. The rest of the mail just flys through the system.
3) There was a thread a little while ago that talked about a way to cut down spam by simply restricting who you would accept SMTP traffic from. Unfortunately, I don't recall the details, but at the time it struck me as eminently sensible, and just required cooperation between ISPs to implement effectively.
Again, look the postal mail system. One proposal required everyone mail letters in person at the post office, and show id to the postal clerk. The problem is it really doesn't solve the problem. Third-party trust systems don't scale well beyone one or two degrees of separation. And there is only one major postal system. But it doesn't require cooperation from the ISP to accept mail from only people you know. You can do that today. The question is why don't more people do it? The ISP doesn't know who you know. Should ISPs require you to register your friends & family in order to receive mail? I don't know if it has come to that. And we all know how effective Caller-ID has been in cutting down telemarketing phone calls at dinner time. And the related caller-id blocking, and block caller-id blocking, and block block caller-id blocking, etc.
By the way, can anybody explain to me a legitimate use for port 135/137 traffic across the Internet, like it's somebody's private LAN? Seems to me anybody who still thinks that's legitimate is living in the past.
Bits on the wire using ports 135/137 are not intrinsically less safe than any other bits. And vendors have shown a willingness to add ways around port filters in the network, not by developing more secure protocols but by developing ways to send the same packets between insecure systems on other ports. Sendmail and BIND have more CERT/CC advisories than any other application, including NETBIOS. How many people are suggesting blocking port 53 and port 25?
So, the big question: why don't ISPs do more of this? Are they afraid of client reaction? Doesn't wash, for me: most clients would be highly grateful, and all it really takes for the remainder is fair warning. Cost? Again, you can judge for yourselves how low the fruit you choose to pick; the biggest gains have the best ROI.
Happy clients, liberated bandwidth, faster servers -- what's to loose?
Angry clients, increased bandwidth costs, slower servers doing more checks? ISPs are doing a lot to protect end-users. Some examples include Education campaigns Free anti-virus software Free personal firewall software Port filters (port 80 anyone?) Notification of compromised systems Incident Response Intrusion Detection/Intrusion Prevention Managed Security Services Unfortunately some of the argument is a bit like the old cries for public payphone companies were responsible for the drug dealers in poor neighborhoods. So they removed public payphones. The drug dealing problem wasn't solved.