[Previous entry: "Bulletproof Computing: Firewalls"] [Main Index] [Next entry: "Bookslut"]
03/14/2004 Archived Entry: "Bulletproof Computing: ISPs"
Call it schadenfreude if you will, but I'm chuckling with mirth to learn that in the much-hyped DARPA Grand Challenge, 7 miles was as far as any robot got along the 142-mile course. A wee setback for the robotic military.
I see that I could have saved myself some typing. Much of what I've said over the last few days, including the concept of a layered defense, is also said at the Home PC Firewall Guide. That site is largely geared toward helping Windows users secure their systems -- and to do so without dumping Internet Explorer or Outlook -- so from my point of view, they're giving up two of the best defenses. But for the remaining lines of defense it's a great resource. Even Linux and Mac users will benefit from their links to hardware firewall reviews. The editor, "firewall-guy," also maintains recommendation lists on Amazon, where you can buy (for example) a DI-604 Ethernet router/firewall for a mere $36. (Roughly the price of one month's broadband access.)
Of course, your very first line of defense against attack is your Internet Service Provider (ISP). This is where most attacks ought to be blocked.
I say "ought to be" because the sad fact is, many ISP's don't seem to care about protecting their users. Many don't care, some see it as a new profit center, and a few apparently don't know how. We've just switched ISPs -- for reasons of customer service, not security -- and the contrast is noteworthy.
Firewall. ISPs have to route packets, so they are fully capable of blocking some of the better-known exploits. Yet our "old" ISP blocked only ports 25 and 445. 25 is used for mail relaying (SMTP) and is blocked by most ISPs so they don't send spam. (This is a recent change for our old ISP; I guess they got enough complaints about their open relays.) 445 is a notorious Windows vulnerability.
Our "new" ISP blocks many more ports... including the Windows networking ports 137-139 that I've mentioned before. There is no reason why these ports should ever be open at your ISP. If your ISP is letting this traffic through, they don't care much about your security. Our new ISP also blocks 111, 135, and 161 (among others), which suggests that they have some smarts.
Note, however, that your ISP can not block as completely as a home firewall. This is because if they block too much, certain popular Internet services (like interactive gaming) stop working. They have to block cautiously, or be swamped with customer support calls. At home, though, you can block aggressively, and then unblock the few services that you actually use.
Spam and Virus Filtering. It's always preferable to block unwanted email at your mail server (ISP), so that you don't waste bandwidth downloading it to your machine. Sadly, some ISPs (including our "old" ISP) are seeing this as a profit opportunity, so they're charging premium prices for the service.
Our "new" ISP views this as part of the service they provide, so they bundle it in with their basic subscription (which, incidentally, makes them very price-competitive). They use the Postini service, which is a bit awkward to use but has been remarkably effective at spotting both viruses and spam. (Postini offers user-defined whitelist and blacklist -- very useful -- and configurable spam criteria, which is good because much ifeminist email trips the "sexual content" filters. We can turn those filters off.)
Okay, I'm a free-marketeer, and I know it costs money to provide these services, so I might condone charging extra for spam filtering. But there is no excuse to knowingly pass on viral email.
My advice? When shopping for ISPs, compare apples to apples -- get their prices with spam/virus filtering included. If your ISP charges extra for it, call them and ask why. If they don't offer it, ask them why not. And if you have a high-bandwidth connection, and really don't mind scanning for viruses and spam at your own machine and updating your virus signatures daily, then maybe you can use a cheaper ISP. But I like the added protection.
Privacy. One warning about discount ISPs (and some non-discount ISPs): some of them sell their email address lists to spammers.
We own a domain name, so we use that for our email address. Our ISP is only for dial-up access; we never use the email address they give us. Yet shortly after we signed up with our "old" ISP, we started receiving junk mail at that email address. This address has never been used to send email, never been used to subscribe for anything, and has never appeared on a web page or Internet newsgroup. The inescapable conclusion is that our "old" ISP is selling their email lists. (And this is not a discount ISP; it's Canada's largest ISP, run by the phone company.)
Our "new" ISP keeps our email address private. The only commercial email we get there is from the ISP itself, informing us of their own training seminars or special offers. (About one email every 2 months.)
That's it, then. Six lines of defense that can protect your computer from intrusion and infection. We have put all six in place, and yet in the day-to-day use of our computers, the only noticeable change is that we now have to type a login name and password when we reboot. There's a bit of maintenance work, updating anti-virus files and operating system patches from time to time, but this is no great burden... and well worth it for peace of mind, and security of computing.