On a web board on which I regularly post, one of the other posters
asked a question regarding an ISP's responsibilities towards its customers'
security. I've got a lot of ISP security experience, so I responded...
Okay, I have to admit I'm not entirely sure what you're asking. So please
bear with me.
It looks like what you're getting at is the issue of ISPs not taking it
upon themselves to provide security for an end user's machine, if the end
user's machine is connected to a DSL router or cable modem. And I suppose
that's got me a little baffled. Personally, I consider the security of
my home desktop machines and servers to be my own problem, not my ISP's,
and I shouldn't think the increased bandwidth or constant uptime that DSL
and cable provide should make that much difference.
As an example, I don't use a modem at home -- I have a frame relay
connection. It's up all the time, all my IP addresses are static (mostly
because I'm too damn lazy to set up NAT on the router), I have plenty of
bandwidth, and it's pretty similar to the situation a DSL or cable modem
user would be in. I would most definitely not expect my ISP to ensure that
my machines were not attacked. They're my machines, they're my
responsibility. If I wanted my ISP to provide firewalling, proxying,
auditing, and intrusion detection, I'm sure I'd have to pay a great deal
of money for those services. They're not part of the package deal.
That said, I do believe ISPs should take some basic best practice steps
toward securing their own networks and participating productively to the
controlled anarchy of the Internet. To that end, of course, routers
should be as secure themselves as possible, should block directed
broadcast (smurf) attacks, block source routing, and should take measures
to prevent spoofing originating within their networks where feasible. I
should note, though, that it isn't really feasible for an ISP to block at
their border routers all outgoing packets that do not have source
addresses within the ISP's allocated address space. There are too many
customers who are dual-homed and route through, or own their own address
block that's not contiguous to the ISP's, or other such exceptions -- the
border router's access list would end up being as long as its routing
table, and the router would fall over and die. Since part of security
also has to consider availability, the same kind of extreme measures that
an individual company or user might take to prevent inappropriate traffic
being passed through their network aren't always appropriate for an ISP's
network. Compromises must be made, and sometimes it's best to block
outgoing spoofed packets on a more distributed scale...which can entail
having each customer router block spoofs by default, for instance. And
then it comes down to who configures a customer's router -- the ISP or the
customer. Not every ISP handles customers the same way.
I should add the disclaimer that I work for the security department for
my ISP, and have done so for the last two years, so I acknowledge that I
may be a special case, and may be viewing the problem from an unusual
angle. I agree with you in that an ISP ought to take best practice steps
towards securing those parts of the network that belong to the ISP and
are the ISP's responsibility to configure and maintain. However,
customer-owned equipment is the customer's responsibility, and if that
means that complete idiots are putting vulnerable machines on a link
that's up round the clock, getting 0wned, and being used as jump-off
points to attack others...well, that's the end user's problem. The best
the ISP can do is suspend his connection and -- if the ISP's good -- help
the end user secure his stuff better. But it's -not- the ISP's
responsibility to audit their customers' machines.
Now, as I said earlier, I may have misunderstood the point you were
making, and if that's the case I'd be glad to be corrected or get a
clarification. What exactly were you getting at?
/dev/null