[Dshield] My Dream ISP (was: public goals)

Johannes B. Ullrich jullrich at sans.org
Sat Jan 14 18:28:39 GMT 2006

Let me dream a bit. I don't suggest that ISPs have to do this. But I
think it should be doable:

First of all, the modem (DSL or Cable or whatever) should provide a
firewall. By default, all inbound traffic should be blocked, and it
should provide NAT.

In order to enable ports, or turn it into a bridge, you have to pass a
little exam. This would be web based and all automated. Sample question
"do you have a personal firewall", "do you have anti virus" ...

Depending on how well you do, you should be able to turn off the
Firewall or the NAT.

If there is an abuse report, the customer is called automatically. The
system will require a response ("Press 1 if you have the issue fixed,
press 2 if you want your modem turned into safe mode...)

If a system turns out to be infected/hacked, and the customer does not
respond (24hrs?), the modem is turned into a 'safe mode' which only
allows access to a limited number of sites (update sites, anti virus,
internal help sites...). Again: This happens after phone calls and emails.

Once the customer fixed the system, they call the ISP (or visit the
internal, still accessible web site), and requests to re-enable the
modem. The ISP may do a quick scan of the system to check if the issue
is fixed and turn the control of the modem over to the user.

Of course, if this happens too much, more severe penalties may be put in

Advantage of this system: Very little 'human interaction'. So it should
be cheap to implement. And flexible, so everyone is happy.

Some ISPs, (and in particular universities) are already very close to
this with their "walled garden" setups that allow access to limited
sites if a system is considered 'off'

One big issue that came up only recently is VoIP, and the ability to
call 911... But expecting reliable service for a 'live line' like 911
access from a consumer "best effort" service level contract is a stretch
to begin with (not a big fan of 911 requirement for VoIP myself... )

Johannes Ullrich                        jullrich at sans.org
Chief Research Officer                     (617) 639 5000
PGP Key: https://secure.dshield.org/PGPKEYS

"We use [isc.sans.org] every day to keep on top of
 security at our bank" Matt, Network Administrator.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20060114/ed0799d7/signature.bin

More information about the list mailing list