RE: Nimda et.al. versus ISP responsibility

From: Greg A. Woods (woodsat_private)
Date: Thu Sep 27 2001 - 16:41:55 PDT

Next message: Silcock, Stephen: "RE: Nimda et.al. versus ISP responsibility - Laying responsibilit y where it belongs"

Previous message: terry white: "Re: Nimda et.al. versus ISP responsibility"
In reply to: ahowardat_private: "RE: Nimda et.al. versus ISP responsibility"
Next in thread: Jay D. Dyson: "RE: Nimda et.al. versus ISP responsibility"
Next in thread: Stephen Villano: "RE: Nimda et.al. versus ISP responsibility"
Reply: Jay D. Dyson: "RE: Nimda et.al. versus ISP responsibility"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ On Thursday, September 27, 2001 at 17:10:50 (-0400), ahowardat_private wrote: ]
> Subject: RE: Nimda et.al. versus ISP responsibility
>
> I think there is a mid-ground wherein all ISPs are responsible
> for both ingress and egress filtering of all traffic on their
> network to ensure it is valid traffic (e.g.., making sure that 
> customer A cannot inject traffic into the network with a source
> IP that doesn't belong to them...nearly eliminating spoofing) 
> but stopping short of scanning payloads of packets.

Come on!  Get real!

Any properly formed IP packet is valid traffic!

You cannot expect ISPs to stay on top of every protocol and every
network application.

The ONLY people responsible here are the operators of vulnerable servers
and the people who release the vulnerable software they use.  Even
though Microsoft have released fixes in these cases, they have not
corrected the flaw in their business which causes them to release buggy
vulnerable software.  Until Microsoft and other software vendors always
put security at the forefront, no matter whether users ask for it or
not, these problems will continue to cause wide-spread harm.

Systems and network security must not be an option and it must not be
off by default.  Customers must not even have to ask for security.
Until software vendors take this position their users, and all of us who
provide related services, will continue to suffer.

> Additionally, ISPs should allow customers to choose filtered
> connections if they wish.  Customers should be able to work
> with ISPs to create traffic shaping rules as to what is and
> is not OK on the pipe they are paying for.

In some cases this is in fact done.  However very few customers,
especially those on *DSL, cable, or other high-speed connections are
willing or able to pay for this level of service.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoodsat_private>     <woodsat_private>
Planix, Inc. <woodsat_private>;   Secrets of the Weird <woodsat_private>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Silcock, Stephen: "RE: Nimda et.al. versus ISP responsibility - Laying responsibilit y where it belongs"
Previous message: terry white: "Re: Nimda et.al. versus ISP responsibility"
In reply to: ahowardat_private: "RE: Nimda et.al. versus ISP responsibility"
Next in thread: Jay D. Dyson: "RE: Nimda et.al. versus ISP responsibility"
Next in thread: Stephen Villano: "RE: Nimda et.al. versus ISP responsibility"
Reply: Jay D. Dyson: "RE: Nimda et.al. versus ISP responsibility"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 27 2001 - 16:49:52 PDT