Re: [Nolug] Need new internet service...

From: Scott Harney <scotth_at_scottharney.com>
Date: Thu, 12 Dec 2002 08:28:50 -0600
Message-ID: <20021212142850.GA15202@zenarcade.local.lan>

This is getting pretty far afield of Linux methinks. nonetheless,
network security in the real world, hosting services, and good fast
internet service are germane to the linux user's life.

Until recently, I worked for Charter in a very similar capacity to
charles. I think you're misuderstanding some of what he's saying and
there are aspects of network security in a cable world that you are
ignorant of -- you're making significant assumptions.

> the ignition. Bottom line, if the network was properly secured, you
> wouldn't need to quietly handle abusers. We're not talking rocket
> science... if you see traffic from an ip with no lease, block it.

You're assuming that the tools exist to do this in the docsis cable
environment. They don't. Why do you think DSL providers love PPPoE?
Detecting an IP with no lease means that your router (probably a cisco
UBR) needs to be able to accurately detect the handing out of leases to
CPE IPs. Cisco (I'm assuming Cox uses cisco locally though they may
not) has attempted to do this. I can tell you from my own experience
that their success thus far is very limited. They best you get is
potential "IP squatters" are flagged for further manual investigation.

> And why are business customers on the same network as residential
> customers?

Cause that's the way cable works. So what? What would isolating them
do(if it were possible) to increase their security? Very little at best.
Think about it.

You control the handing out of IP addresses by MAC address. This can be
cumbersome to manage depending on the tools you have to do so. And
MACs are easily spoofed (this would be a more extreme case than
borrowing an unused IP). And this doesn't prevent a user from
statically setting his/her IP address to unused IP. And then later a lease
gets handed out for that IP and there's a conflict. And the IP squatter
gets a polite phone call.

> I'm sure there is verbage somewhere that says the business
> service is more "secure and reliable, that's why we charge more for it."
> I would think it should be separate networks.

No. They'd be idiots if they did that. That's not why they charge more.
They charge more because businesses use it more, they host services,
they demand better tech support. But somehow secured differently? no.
At best you could offer a value added service where you monitored
traffic and provided limited instrusion detection.

> I don't mean to start anything, and Charles i appreciate the info you have
> provided. But to the current and future network managers, this sort of
> abuse is preventable with proper network security. Falling back on your
> acceptable-use policies, contacting authorities, calling abuse managers,
> quietly handling users, etc etc etc... that's not the right way to handle
> it. If someone sniffs your admin password cause you are telnetting, you
> can't run to the CEO and say 'oh no no it's ok cause he violated the AUP
> by running a sniffer'. That won't cut it.

This isn't a corporate environment. It's an ISP. You CAN'T be as
restrictive. it's a delicate balance. You've got paying customers.
Iron fisted network policies will lose you business. ON a fundamental
level, ISPs are about moving packets, not blocking them.
 
> Email abuse, breaking into other systems, threats, harassment... that is
> abuse, and by all means contact abuse managers and local authorities and
> get it dealt with. But don't threaten to sic the law on me cause i
> "borrow" an IP address. Just secure your network. I guarantee it'll be
> cheaper and cause everyone less headaches in the long run.

and that's what you misunderstood about Charles' post. This is hardly
the thing he's most worried about. IP squatting is the least of the
cable net admin's worries. Bandwidth theft (hacking your modem to
remove b/w caps) is one of the biggies. Unfortunately, DMCA is another.
You get TONS of automated letters from lawyer types that you MUST deal
with. You'd love to do more intrusion detection and other active
monitoring but frankly, the time isn't there.

So here's the deal. There's an implicit agreement between the clued
customer and the company network admins: do no harm.

Don't be stupid. Don't impact other customers or the network admins.
Network admins typically don't care about people with open inbound ports
-- most of us don't agree with our employers' stance on this. We know the cat
is out of the bag and it's a pointy-headed unrealistic rule.(1) What we do
care about is idiots who offer warez,etc and bring lawyerly attention.
And if you squat on an IP and you end up affecting another customer, you'll
get called on it.

(1) I never isolated business accounts on a separate IP subnet from
consumer accounts. Charter never allocated public IPs in a way that
would make that reasonable to manage across many UBRs. And since they
never demanded it, it was a subtle way for me to prevent future blocking of
inbound ports -- a potential policy I was fervently against.

-- 
Scott Harney<scotth@scottharney.com>
"...and one script to rule them all."
___________________
Nolug mailing list
nolug@nolug.org
Received on 12/12/02

This archive was generated by hypermail 2.2.0 : 12/19/08 EST