[Dshield] paper about port blocking

Darren Gasser kaos at earthlink.net
Wed Sep 3 23:25:46 GMT 2003

Jonathan Rickman wrote:
> You're exaggerating. Some ISPs already have devices with this
> capability out there. It's just not turned on.

Really?  Which ones?

>And do you really think you got that DSL modem for free?

No, I paid for my cable modem at home and my IT budget paid for the DSUs at
the office, neither of which support port filtering, anyway.  :)

>The costs of the equipment are
> always passed on to the consumer. The increased costs would be
> negligible when you factor in the volume purchase agreements that
> ISPs can leverage. When I referred to absorbing costs, I was
> referring to the initial roll-out and configuration, not the
> equipment itself.

So, how much would you think the equipment would affect the monthly access
cost for broadband, on average?  Amortizing a $50 DSL or cable modem into
the monthly fees is very different from a $500 firewall appliance.

> You misunderstood me apparently. I didn't say anything about
> centralized control.

No, you are misunderstanding me, I think.  I know you aren't advocating
central control of the filtering.  I am.  A simple web interface to some
tools which control router ACLs (probably with some human approval workflow
for risky ports like 135, etc.) is not exactly rocket science.

>I said the initial config should be locked down,
> and the customer should have the capability to make changes. So, in
> your centralized model there are development costs, and in my
> decentralized model there are none.

Unless you assume all users have the necessary training to configure a
firewall using native interfaces, there still are development costs for a
user-friendly interface for opening ports.  Regardless, your plan has
massive costs involved in purchasing, deploying, supporting, and maintaining
many, many thousands of new devices.  My suggestion takes advantage of
existing equipment and tools, and any incremental development cost is
miniscule in comparison to deploying tons of new hardware.

> You also speak as if the end users shouldn't be trusted.

I think the millions of compromised systems over the last few weeks has
adequately proven many shouldn't be.


More information about the list mailing list