|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Block all servers?
I agree that Michael is "right on". The social, psychological and financial issues are in many ways more tricky than the technical issus. However, I think there are ways to help. But first some history.... When I signed up for Cable broadband access several years ago, I was told, "And of course you must not put a router on the network." The of course was a surprise to me. That immediately meant (at least to me) that I was going to be exposed to anything that came wandering past my (dynamically assigned) IP address. Of course I put a router in place. Was it something really good? No, it was what I could afford. A Linksys broadband router. Was it misconfigured? Probably - I am after all an applications guy not a solid network engineer. Did I get it checked out by the network guys at work? You betcha. Have I eliminated all risk? No. Have I eliminated "affordable risk?" yes. Since then I have created a DMZ at home (again not necessarily the most solid in the world), but at least it has the following effects: My VOIP telephone line is directly in to the DMZ - that just saves a hop. My in home wireless network is just that - in home. The NAT router that protects it has everything I can think of disabled. I have access to a couple of servers when I am traveling (both in the DMZ) so that I can access important files and test development web sites. There is in theory no public access. In practive, of course it is wide open - that's why we have DMZs I also have personal firewalls on all computers whether they travel or not. Why? Because I want to block outbound activities. I rarely see anything inbound that is blocked, but I do like the ability of my PFWs to detect outbound activities and make me confirm/deny access. That is just good hygeine. Oh btw that firewall monitors inbound email too, so it becomes a first level virus protector. Real virus protection kicks in behind that. Now what could the broadband providers do: First off, they could incorporate NAT into the DOCSIS or other compliant cable modems/DSL Modems. Make sure that the NAT router is configured so that incoming ports are all blocked. Yes that makes it hard for gaming, so there needs to be an extra capability so that gamers have to explicitly (at a fee?) get the features opened. That is only a start of course, because as soon as you do that then there are going to be vulnerabilities. However, the likelihood of infection/spewing of packets is reduced somewhat. Second, in the acceptable use policy for high speed connections, require a "licence" of some kind. We have licenses/permits for our cars, our dogs, our burglar alarms, for going fishing,..... Why not for broadband. Actually I can see many reasons both to do it and not to do it, so this is clearly an area where debate is reasonable. Third monitor the bandwidth used (ratios on inbound/outbound) for example. Actual numbers might be better. For example, at my DMZ router, it reports the following this morning: Up time 23:50 (just less than 1 day) Bytes TX 40,612,318 Bytes RX 370,212,922 These numbers are surprisingly large. However I do run Groove at home and a lot of data is shared with people all over the world, so the TX isn't terribly surprising. The RX is monstrous though. Next stat since power on, the DMZ router has recognized 513 alerts - mostly ping requests from other Comcast users. Now that would be an interesting set of cluse if Comcast itself were able to do anything about it. Lots of Pings (against home machines) are usually indicative of some kind of problem (yeah, preaching to the choir, I know), so in this combined modem/router, I could envisage some stats gathering and reporting on usage - especially things that are somewhat suspicious. Of course the line is fine between privacy, acceptable use, and risk. The whole approach does need to be thought through pretty carefully. I now spend time talking with friends, local groups (Church, city or whatever) describing the risks. Some people even act on them. Some people ask for help cleaning up their home systems - especially to remove pop-ups, improve spam handling and keep porn away from the kids. What they often don't realize is that the actions they have taken (downloading gator or hotbar) have caused precisely the effects that they are trying to guard against. So much of my time spent delousing is running the cleanup tools (ad-aware, pest patrol, taskinfo to see what's running), enabling firewalls, recommending that people buy firewalls, instilling a "use the grc tools" discipline and generally doing what I can to keep the computers relatively clean. At approximately 3 hours per computer, I am not making as much headway as I would like! We therefoe have got to encourage the industry (especially the responsible leading players) to have things configured by default to make life safe. Then unsafe behavior becomes a choice rather than a default. Sorry for the length of this rant, but I wanted to point out that there are responsible things happening but more is needed on the part of vendors. Remember that what most people seem to want is a gourmet meal with the ease of a TV dinner! So superb service with no effort. That is not going to change, so make it hard to do bad things and easy to do good things and (maybe) we are on the right road. Thanks for your patience (if you got this far!) Chris Michael Dillon said..... > >I think it's more complicated than "prevent residential users from > >hosting servers". > > You're right. As soon as we begin talking about > what all ISPs should do, we are out of the realm > of technical solutions and into the realm of > psychology and politics. After all, we first have > to convince all ISPs that something should be done > and we have to demonstrate that there is a way to > present the action to customers so that the customers > will accept it. > > Customers generally don't like ISPs to tell them > "you can't do this" unless there is a very well > reasoned argument attached. > > I suggest that people should start thinking about > ways to incorporate security services into their > broadband access products and allow customers the > choice of paying for the security services monthly > to the ISP or paying up front one time by buying > a broadband router. > > NANOG could help by collecting together some of the > technical information about the various broadband > routers so that ISPs have an exhaustive and definitive > source to refer to. > > --Michael Dillon > > P.S. I have always used a router on my Internet connection > even when it was only a dialup connection. Back then it > was a FreeBSD box running TIS firewalls toolkit. Today it's > a Speedstream 510 DSL router. > > > > > >
|