[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: [Dshield] How difficult would it be for ISPs to providebasic firewalling? Alan Frayer Thu Nov 16 12:07:50 2006

> I would argue that a lock that is easily bypassed by a professional and
> provides no real security, but lulls the owner into believing they are
> secure, is worse than no lock at all.  Especially when we put locks on
> the doors but leave the windows wide open, usually with a big neon sign
> that says "The good stuff is behind this window".
> Locks on doors are effective when 95% of burglars are low-life losers
> who are usually too strung out on drugs or alcohol to form and execute
> a more complicated plan than "smash door, grab stuff, run".  They don't
> help much when 95% of the attacks are done by professionals who know how
> to find the master override PIN to enter to turn off the home security
> system...
> Firewalls mitigate some classes of network service based worms. That's
> about it. The instant you start believing they do anything else for you,
> your total overall security goes down...

I'll admit that the lock metaphor is just that... a metaphor. Still, as 
you say, firewalls mitigate SOME of the threats, while a lack of 
firewalls mitigate NOTHING. A responsible provider (how I wish they 
truly exist) would provide the firewall and caution the subscriber that 
the firewall doesn't compensate for foolish behavior on their part, or 
determined behavior on the part of the bad guy.

I believe it is irresponsible for the ISP to default to unrestricted 
access. I leave it as an exercise for professionals to determine the 
situations under which a subscriber can obtain greater access. Passing 
the responsibility for security to an ill-informed (or even uncaring) 
subscriber does more than hurt the subscriber... it hurts us all. Since 
no one wants to require subscribers to be licensed for Internet access, 
it falls on all of us, subscribers and vendors alike, to share 
responsibility. Providing a firewall at the subscriber's site at least 
shows some acceptance of that responsibility.

Alan Frayer
Don't just read the news - make the news at
Classified Ad space available