Luc Pardon wrote: > We're talking about (a pound of) cure, how about (an ounce of) > prevention? > > There seems to be consensus that (lack of) competence is part of the > problem.. If ISP's would/could take on more responsibility, the need for > hack-back would be greatly reduced, making discussion if it's nice or > not futile, so maybe the following is even on topic ;-) > > Id be interested in the opinion of the community (particularly ISP's) > on a scheme like this: > I can see ISPs that work this way losing lots of accounts when any protocol that involves server-side callbacks breaks. You cant really expect the average road-warrior to know which ports to open in order to enable their corporate VPN tunnel, for example. There would have to be some kind of stateful inspection of traffic at the ISP to determine if an active ftp callback, or the establishment of a tunnel, or an IRC DCC session is somehow "expected" and should be allowed or is just a generic incoming connection that should be dropped. Thats a nasty overhead to ask a small ISPs network kit to bear and the bigger the ISP the nastier it gets. On the other hand, lots of attacks depend on spoofed traffic and we've all read both the rants about ISPs who dont filter out the martians and ISPs screaming about how they cant afford to do anyting about it. The ISP does have to pay for any filtering they do so how about requiring all customers to have egress filtering? If the customer cant or wont do this then they can pay the ISP a little extra to have the ISP apply the required filters to their connection. Of course we'd have to "encourage" good behaviour in the customers that handle their own filtering by putting a penalty clause in there. Generate martians after you said you wouldnt and your next months bill would include a much steeper fee for the filtering - say 3 times the amount it would be if you'd asked them to do it up front? I'm confident enough in my egress filtering to put my money where my mouth is and I suspect most readers of this list are in a similar position. Just a thought.... -- Dave Booth dboothat_private +----------------------------------------------------------------+ | Trouble rather the tiger in his lair than the sage amongst his | | books, for to you kingdoms and their armies are things mighty | | and enduring but to him they are the toys of the moment, to be | | overturned by the flicking of a finger. | +----------------------------------------------------------------+ ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu May 22 2003 - 12:14:40 PDT