[Dshield] paper about port blocking

Jonathan Rickman jonathan at xcorps.net
Wed Sep 3 22:46:04 GMT 2003


On Wednesday 03 September 2003 18:10, Darren Gasser wrote:

> These "devices" you propose sound an awful lot like firewall
> appliances.  Do you really think it's feasible for consumer and small
> business ISPs to ship a pre-configured firewall to every single network
> endpoint for free?  You state that it would be a cost wash to purchase,
> configure, install, and support a gazillion firewall appliances versus
> what they're currently paying to deal with worm infestations.   Do you
> have numbers to support this assertion?

You're exaggerating. Some ISPs already have devices with this capability 
out there. It's just not turned on. And do you really think you got that 
DSL modem for free? The costs of the equipment are always passed on to 
the consumer. The increased costs would be negligible when you factor in 
the volume purchase agreements that ISPs can leverage. When I referred to 
absorbing costs, I was referring to the initial roll-out and 
configuration, not the equipment itself. 

> Wouldn't it be far simpler, and cheaper, if the filtering is done
> upstream on equipment already installed and under the control of the
> ISP?   Your issue of end-user control could even be solved, since in
> either case they'd have to develop automated software for end users to
> request a port that's closed by default be opened, and this software
> would be cheaper to implement in a centralized model versus your
> distributed one.  The centralized model also has the advantage of
> handling deliberately malicious end users who could easily bypass a
> device that's under their direct control.

You misunderstood me apparently. I didn't say anything about centralized 
control. I said the initial config should be locked down, and the 
customer should have the capability to make changes. So, in your 
centralized model there are development costs, and in my decentralized 
model there are none.

You also speak as if the end users shouldn't be trusted. That's exactly 
why I do not support the idea of upstream filtering. I do not need to 
prove anything to my ISP. I am their customer and I pay for my service. 
If my ISP is forced to filter traffic "in the heat of battle", I 
understand and will be patient with them. If they decide to make it 
permanent, I will make every attempt to convince them to change their 
policy. If that fails, they will lose a customer. I suspect that will 
convince most ISPs to avoid this, but those who are in a monopoly 
position will simply ignore their customer's wishes as usual. That's the 
end of it. In the interest of avoiding a long and drawn out argument over 
the two philosophies, I'll bow out now. I think both sides have presented 
a clear argument for their respective positions. I understand and respect 
the views of those who advocate upstream filters. I just disagree on 
principle.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net





More information about the list mailing list