[Dshield] Possible solution for ISP (was DShield's public goals)
Jon R. Kibler
Jon.Kibler at aset.com
Tue Jan 10 16:45:10 GMT 2006
> I personally think that ISP's should allow the account owner to choose their
> level of protection:
> 1. Equivalent to NAT: No inbound unless related to outbound. No outbound on
> certain ports with some exceptions to specified servers in ISP-space (eg:
> SMTP/port 25 only to ISP's SMTP server, no SMB/137->139+445, etc). This
> should be the default.
> 2. Restricted outbound (eg: SMTP/port 25 only to ISP's SMTP server, no
> SMB/137->139+445, etc.), with some inbound blocks (mostly the same as
> outbound except where it would cause issues).
> 3. Unrestricted. Nothing blocked. Onus on user. Comes with disclaimer that
> the account holder is responsible for any problems they get, any excess costs
> through excessive data usage, etc.
> Sure, you'll get people just opening their service up straight away, but most
> of the population will just live with the default restricted setup and not
> change. And that's a good thing.
I couldn't agree more. The biggest issue we face is the security ignorant user. They will be completely happy with an 'Equivalent to NAT" account. Right there, that would probably remove 80% or more of the vulnerable systems from the target space. Having 80% less compromised computers would be a VERY good thing!
Jon R. Kibler
Chief Technical Officer
Charleston, SC USA
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the list