----- Original Message ----- From: "Martin hepworth" <martinh@solid-state-logic.com>
I think you need to differentiate between broadband cable/DSl customers at 'home' and those who run a business over it. There's alot of ranting on /. about the fact that AT&T Broadband is stopping port 80 into the cable modem and Verizon also not allowing port 25 in, ie stopping the end user running web and mail servers over their nice new broadband connection.
Certain users want this so they can run these services locally without paying fees for leased lines, colo's etc. Obviously the ISP's don't like it (or the telco's) as it means they loose their leased lines that are nice and profitable.
Maybe the providers should offer to do this port blocking if the customer requests it, of at least have the options to remove the port blocking is I want to run all this stuff locally.
Now Colo's are a different issue and IHMO the servers there should be well segmented, but it depends on the contract. Does the colo look after the O/S and applications or is the customer responsible. In the cases I've seen in the UK the colo usually does this as an added service.
just my 2 pence worth
Hey Martin. I think what i'm suggesting is a "security by default" stance, even for small businesses or power users on the other end of these connections. It makes the system monstrously more complex, but I'd rather see a situation where the access customer has to "opt in" to any given open port across an upstream link, and has to take some responsibility to secure it. It is a large change from the current thinking -- a.k.a. "we just give you the line, what you do with it is your business", but it is blindingly obvious to me that the current line of thinking has failed miserably. Granted, performance considerations on faster links and any given customer's desire to manage their own security must be taken into account, but those seem to be exceptions to the rule. How many DS3 and above customers and yahoo-style server farms are we really dealing with, and how many small businesses with a competent security admin, as compared to T1/E1 and broadband customers who take the line, plug it in, and hope for the best? -travis
-- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd +44 (0)1865 842300