First are the consumers willing to pay for a "safer" internet DSL/dial/isdn? I believe if they were there would be a safer service available. I have seen several "secure" isp's fail in the last few years. If you have any data that shows that there is a market for a more secure dialup/DSL/isdn... please share it. 2nd blaming infected machines on the internet is similar to blaming your postal carrier for bringing you junk mail and bills. About 1/2 of all of the large "infection" events on the internet are the result of people running unpatched unsecured applications on their machines. The other half of the infections I see are due to an end user opening an email and running an attachment. Even with a secure OS this simple method of infection will continue to work. How and when did it become the responsibility of the ISP to protect the end users machines? Do ISP's get paid to protect end user machines? If you want to blame someone maybe the company that provided the insecure os that requires monthly patches to fix portions of the broken code they sold. Or you could blame the end users who open unknown attachments. I would like a real solution to the problem. Simply blocking ports is not successful. So I recommend 2 steps. First buy OS's that are more secure out of the box. 2nd Teach users NOT to click on every thing they see. Donald.Smith@qwest.com GCIA http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC Brian Kernighan jokingly named it the Uniplexed Information and Computing System (UNICS) as a pun on MULTICS.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Matthew Sullivan Sent: Sunday, June 13, 2004 5:02 PM To: nanog Subject: Re: "Default" Internet Service
Christopher L. Morrow wrote:
On Sat, 12 Jun 2004, John Curran wrote:
The real challenge here is that the "default" Internet service is wide-open Internet Protocol, w/o any safeties or controls. This made a lot of sense when the Internet was a few hundred sites, but is showing real scaling problems today (spam, major viruses, etc.)
One could imagine changing the paradigm (never easy) so that the normal Internet service was proxied for common applications and NAT'ed for everything else... This wouldn't eliminate all the problems, but would dramatically cut down the incident rate.
This sounds like a fantastic idea, for instance: How much direct IP does joe-average Internet user really require? Do they require anything more than imap(s)/pop(s)/smtp(+tls) and dns/http/https ? I suppose they also need: 1) internet gaming 2) voip 3) kazaa/p2p-app(s)-of-choice 4) IM
Actually I'm sure there are quite a few things they need, things which require either very smart NAT/Proxy devices or open access. The filtering of IP on the broad scale will hamper creativity and innovation. I'm fairly certain this was not what we want in the long term, is it?
I acutally suggested something like this at the recent AusCERT 2004 conference... It's not such a bad idea....
The real question being "why are we giving mum's and dad's who sign up to the internet, and know nothing about either the Internet or computers, full unrestricted incoming and outgoing access...?" ... answer because the more bandwidth they use the more the ISP earns... so the ISPs don't care (in some cases) if the mum's and dad's get trojaned, because it's all money.
My suggestion to the AusCERT delegates was to introduce a new default service which has very limited access, and if people ask for more, give them the access after they have read through various 'educational' pages.... Perhaps a simple online quiz at the end -just 3-5 questions with the answers being very clearly explained in the previous pages - just to show the people have actually read the pages, rather than skipped to the end and hit 'I accept'.
I also suggested that if ISPs have the technology perhaps a simple IP pools method of allocating the users IP, where they could turn on and turn off access to certain protocols - eg: have a pool for P2P users, a pool for VOIP etc...
/ Mat