Securing home computers (Was: Re: [Dshield] Re: [Full-Disclosure]Port Blocking)

Doug White doug at dwhite.ws
Sat Jun 28 03:58:33 GMT 2003


Just about every ISP published an "Acceptable Use Policy" and they cover events
such as breach of security, etc.  Every user, no matter how naive must assent to
that policy in order to subscribe to the service.
The RFC require an abuse desk, and the larger providers have security staffs in
addition to abuse folks.

Where it goes awry is their reluctance to enforce their own policies, even when
brought to there attention,  Some are even more incompetent that the naive
users.

And example is RoadRunner, who will scan the entire network that contains a mail
server that sends mail to them.  They scan a large range of ports as well, and
at the same time, they will not enforce their own policy prohibiting open relays
and open proxies.

Another is the State of Texas, who has many thousands of employees and they are
identified by their SS#, a single item needed for identity theft.  Their systems
were built for them by such Giants in the industry as IBM and EDS.  But these
identities are consistently exposed.  They are not the only ones by far.

The other side of this coin is that most have very competent and secure users
who are also subscribers, and these people do not wish to have restrictions
place on them as long as they comply with the AUP.  The blanket blocking of
arbitrary ports, were it in general use, would not only limit the "good" users
from using the full potential of their connection, but would also take away the
incentives for the less educated to properly secure their own systems, thinking
that "someone else" would take care of any problems.  It would also take away
the incentives from the software publishers to continue to evolve and better
secure their software or operating system releases.

Anyone who connects servers or other machines to the web, which contain
sensitive or even important information, have the obligation to secure that
information from others, while making it available to its intended audience.
Arbitrary port blocking is not the answer when done at the provider level.

======================================
Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
======================================
If you are not satisfied with my service, my job isn't done!




More information about the list mailing list