Not a single day goes by without someone complaining that their local cable/ISP/whatever is "blocking" their traffic. Why? Well, the reasons range from the hilarious ban on VPNs pioneered by a UK cable company to rather more appropriate suggestions that sharing illegal material is just not cricket. At other times the purported reason offered is "security" of what or whom still being subject of further debate.
At which point one might ask why no ISP to my knowledge offers home users a "secure service".
For example I would not refuse a service which guaranteed my link (whatever underlying technical specifications it might have) against DDoS, half-open scans, spam (via something "hard" such as RBL+) and a raft of other interesting options. As a matter of fact I would even be prepared to pay a premium for it.
The ultimate heresy would be a home service where the ISP would send me a request for the list of ports I wish to have open for incoming connections so that they can configure the firewall for my link. This would go a long way towards accepting concepts such as "whitelisting" instead of continuing to perpetrate the myth that adding entries to blacklists is actually useful.
Of course the final touch would be to top it all with appropriate NIDS services with per-user reporting.
What is the incentive for an IDS to deploy this? How about increasing the awareness of security by the end-user? No, that would be too humanitarian and charitable, education of end-users is not in an ISP's charter. So let me suggest the following: for years the likes of Microsoft have been sponsoring schools and universities to expose students to their software. Why? Because when the student has to choose what software to work with in his future job the chances that he will know the brand and programs are rather high. It is a form of viral marketing. If an ISP starts educating home users on security why should these people not start mentioning the service and how good it is at work? Why should they not become targets for a managed security service?
Welcome to the scary prospect of security education and money-making at the same time.
Posted by arrigo at March 6, 2003 02:03 PM