[nSLUG] Off Topic: ISP filtering
mctylr at privacy.nb.ca
Sat Mar 13 12:19:20 AST 2004
On Sat, Mar 13, 2004 at 01:55:41AM -0400, bdavidso at supercity.ns.ca wrote:
> As you may know, I am the admin for a small local ISP (dialup). I'm also
> a Linux user, and generally have always had the feeling that if I buy
> Internet access, then I want Internet access, dammit. No filtering, NAT,
> However, the environment out there has become more and more nasty, and is
> causing more and more problems for naive users. I can't police how users
> configure and operate their machines, but I have to help them fix them
I would strongly recommend a by default put your customers behind a
simple port filtering firewall. Filter tons of incoming ports (from
smtp,ftp,www,dns,dhcps to snmp and netbios) and a few outgoing (smtp and
windows networking (135-139,445) and maybe rpc). Actual I'm tempted to
strongly suggest that users cannot opt-out of the outgoing filters...
Give users a free opt-out of the filtering with the CLEAR understanding
that any annoyance from an opt-out'ed machine is billable ($50-75/h) at the
FIRST instance of hassle/trouble of a virus/worm/spam-relay clean-up.
This should keep 95% of your customers happy, and safer, by default while
giving that noisy 5% the freedom if they are willing to truely bare the
cost burden of cleaning up their mess if they don't keep their machine
secure. I see it as a net gain for most of your users (less impact if
there are few infected machines as well as less chance of becoming
infected themselves), and those that are experienced/cocky enough to
ride the Internet in the 'nude' can do so.
I have seen too many dial-up users, including a computer programmer and
linux user, that skip downloading security patches via dial-up since it is
so slow given the size of the patches these days and they have a false
sense of security because of their slow connection and somewhat limited
amount of time they are connected. Dial-up machines get just as infected
by worms, I don't of any worms that skip dial-up machines, and since they
all attack random IP addresses, the user is still at risk. So I expect
it would be a bonus for nearly 95% of your users.
Sorry for breaking into a rant there...
That's my 2 cents.
More information about the nSLUG