Hi there,
if security is not part of the contract, then you should not offer
security. The reason is that security comes at a cost.
Also, people must know what is blocked. I remember once that I spent a lot
of time trying to check why DNS doesn't work just to discover that
for some reason the ISP has blocked inbound (from our viewpoint)
DNS traffic considering that we are l"like all those people around"
dummy and should not host a DNS server:{
There are some exceptions such as Ingress filtering. but this depends on
how many routers you should configure. so ISPs just leave this as it is.
Also, some routers are "symmetric" (they route between different
networks that contain too many different network classes, so you just
can't handle the necessary rules).
As for ICMP rate filtering, you should not "impose" your decision.
A better approach is to watch for excess, and when discovered, check
with the guy. if that was legitimate, then it's ok. otherwise, get him out
of your network if you can (fro legal reasons, you generally can't) or
apply specific limitations to him (but this requires you define different
categories of users).
The simplest approach is thus to let everyone do what is necessary to
secure himself. Secure those machines and networks that you own,
and manage and those for which you have a clear contract and leave
"normal" users do what they want. sure this leads to problems, but
that's the internet! Those who want restrictions go for AOL, but AOL
is not an ISP (they are an AOLSP)...
Note that you can propose specific portals to those people who want
(so that you can "sell" parental control and the such), and if your network
is simple, you can propose specific contracts with filtering rules. But
you always need to sell, not impose. After all, you're offering access,
not restrictions!
cheers,
mouss
At 10:53 15/11/01 -0800, Wil Cooley wrote:
>Almost all of the firewall designs I've read about focus on
>enterprise networks, which usually includes the internal, corporate
>network, and a DMZ for external services. Unfortunately, for an
>ISP, this isn't entirely adequate, since almost all services are
>external and so almost all hosts in the DMZ, and then there are
>customer connections themselves.
>
>Of course the office network itself is behind a second firewall,
>and for expedience and address savings NAT'd. The service hosts
>themselves, the web, mail, and name servers are reasonably protected.
>But what sort of policy should one have for customer connections,
>like dial-up, co-lo, and WAN customers? Certainly, for some customers,
>we offer extended security management. But should I apply any stricter
>filters for other customers, aside from the usual things like egress
>filtering, ICMP rate filtering, etc.?
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
