[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: [Dshield] How difficult would it be for ISPs to providebasic firewalling? Micheal Patterson Fri Nov 17 12:05:52 2006

----- Original Message ----- 
From: "Alan Frayer" <[EMAIL PROTECTED]>
To: "General DShield Discussion List" <[EMAIL PROTECTED]>
Sent: Thursday, November 16, 2006 11:18 AM
Subject: Re: [Dshield] How difficult would it be for ISPs to 
providebasic firewalling?

>> I would argue that a lock that is easily bypassed by a professional 
>> and
>> provides no real security, but lulls the owner into believing they 
>> are
>> secure, is worse than no lock at all.  Especially when we put locks 
>> on
>> the doors but leave the windows wide open, usually with a big neon 
>> sign
>> that says "The good stuff is behind this window".
>> Locks on doors are effective when 95% of burglars are low-life losers
>> who are usually too strung out on drugs or alcohol to form and 
>> execute
>> a more complicated plan than "smash door, grab stuff, run".  They 
>> don't
>> help much when 95% of the attacks are done by professionals who know 
>> how
>> to find the master override PIN to enter to turn off the home 
>> security
>> system...
>> Firewalls mitigate some classes of network service based worms. 
>> That's
>> about it. The instant you start believing they do anything else for 
>> you,
>> your total overall security goes down...
> I'll admit that the lock metaphor is just that... a metaphor. Still, 
> as
> you say, firewalls mitigate SOME of the threats, while a lack of
> firewalls mitigate NOTHING. A responsible provider (how I wish they
> truly exist) would provide the firewall and caution the subscriber 
> that
> the firewall doesn't compensate for foolish behavior on their part, or
> determined behavior on the part of the bad guy.
> I believe it is irresponsible for the ISP to default to unrestricted
> access. I leave it as an exercise for professionals to determine the
> situations under which a subscriber can obtain greater access. Passing
> the responsibility for security to an ill-informed (or even uncaring)
> subscriber does more than hurt the subscriber... it hurts us all. 
> Since
> no one wants to require subscribers to be licensed for Internet 
> access,
> it falls on all of us, subscribers and vendors alike, to share
> responsibility. Providing a firewall at the subscriber's site at least
> shows some acceptance of that responsibility.
> -- 
> Alan Frayer
> Don't just read the news - make the news at
> http://yourworldnews.frayernet.com
> Classified Ad space available

The sad but true source of the problem is "Joe/Jo User". He/she sees a 
computer, sees the commercials for high speed internet, and goes out and 
gets a pc and the network connection and has z e r o idea how it works.

I can see, that at some point in the future, if things persist down the 
current path they're taking, that one of two things will occur. The net 
will literally tear itself apart due to uncontrolled trash, or end users 
will be required to obtain a license to use it.

As with most anything that is dangerous, family cars, trucks, dozers, 
electician, etc, you have to have a license that you are competent 
enough to operate / perform the duties in a safe and legal manner.

The net should be no different really. While it doesn't appear to be to 
most people, it's a very dangerous thing. That laptop that you or I use 
daily in our medical networks. What happens if something hits it that 
isn't detected by our not so 100% effective av / firewall solution and 
we put that laptop back on the web? Many hospital phone systems use voip 
these days, as do many other companies. So, the phone system goes down, 
overhead paging fails, a patient dies because no one can call for a 
crash cart. Yep, dangerous..

With the net, comes the ability to steal identities, financially ruin 
big business, etc if their data isn't protected properly. Yes, the net 
itself, is a very dangerous place. So, why does "Jo/Joe User" get the 
ability to use it without training? I hope it never gets to that point, 
but hey, you never know. We were once told "Who'd ever need more than 
64k memory?!" And "ipv4 address space will never get used up".


Micheal Patterson