North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SP's & network security issues

  • From: Travis Pugh
  • Date: Thu Aug 09 12:17:00 2001

----- Original Message -----
From: "Martin hepworth" <[email protected]>

>
> I think you need to differentiate between broadband cable/DSl customers
> at 'home' and those who run a business over it. There's alot of ranting
> on /. about the fact that AT&T Broadband is stopping port 80 into the
> cable modem and Verizon also not allowing port 25 in, ie stopping the
> end user running web and mail servers over their nice new broadband
> connection.
>
> Certain users want this so they can run these services locally without
> paying  fees for leased lines, colo's etc. Obviously the ISP's don't
> like it (or the telco's) as it means they loose their leased lines that
> are nice and profitable.
>
> Maybe the providers should offer to do this port blocking if the
> customer requests it, of at least have the options to remove the port
> blocking is I want to run all this stuff locally.
>
> Now Colo's are a different issue and IHMO the servers there should be
> well segmented, but it depends on the contract. Does the colo look after
> the O/S and applications or is the customer responsible. In the cases
> I've seen in the UK the colo usually does this as an added service.
>
> just my 2 pence worth

Hey Martin.  I think what i'm suggesting is a "security by default" stance,
even for small businesses or power users on the other end of these
connections.  It makes the system monstrously more complex, but I'd rather
see a situation where the access customer has to "opt in" to any given open
port across an upstream link, and has to take some responsibility to secure
it.  It is a large change from the current thinking -- a.k.a. "we just give
you the line, what you do with it is your business", but it is blindingly
obvious to me that the current line of thinking has failed miserably.

Granted, performance considerations on faster links and any given customer's
desire to manage their own security must be taken into account, but those
seem to be exceptions to the rule.  How many DS3 and above customers and
yahoo-style server farms are we really dealing with, and how many small
businesses with a competent security admin, as compared to T1/E1 and
broadband customers who take the line, plug it in, and hope for the best?

-travis

>
>
>
> --
> Martin Hepworth
> Senior Systems Administrator
> Solid State Logic Ltd
> +44 (0)1865 842300