Grail's Journal: Code Of Conduct For ISPs wrt Firewalls

In response to the Slashdot article, "Should ISPs Be The Little Man's Firewall," let's try to put together a "Code Of Firewall Conduct" for ISPs.

My thoughts to get it going are that we will need:

1. Statements regarding permanently blocked services
2. Statements regarding transient blocking of services (eg: during a virus' peak)
3. Statements regarding filtering (eg: content, rate or destination based filters)
4. Procedures for opt-out policies
5. Procedures for opt-in policies

I/we want to simultaneously:

• protect net-illiterate users from the dangers of the Internet (I'm talking real threats like viruses and crackers which will hunt you down, not the mythical "kiddie porn" which certain members of Parliament seem to be tripping over every day),
• protect the Internet (and thus our reputation and income stream) from spammers and virus labs, and
• allow competent administrators to take their own risks

Though I'm of two minds about that third item. On one hand I'm the one running the ISP, if they want to run their own ISP, they can find the capital to do it themselves. On the other hand, making life easier for competent administrators means I might attract more paying customers who don't tax my support staff. Except when they ask questions that I can't answer. Competent administrators who use my services aren't just customers they're associates or allies. So I guess they should be treated very nicely :)

So let's get to it. I'll probably respond to myself later this week with my own ideas for a "Code of Firewall Conduct".

Re:Wrong Level to Implement Firewall

[Grail]

I believe the ISPs border gateway is just one of several "right" places to set up a firewall.

Most installations of Windows have never seen a security patch - that's why all these viruses have such a great time.

I don't care that it's possible to retrofit a good firewall to Windows. The fact is, Windows as it is currently installed on most people's desks, is not firewalled, and is ideally suited to virus proliferation.

Therefore, as an ISP, I feel it is my responsibility to the rest of the Internet to do th

Opt-Out vs Opt-In?

[Grail]

This discussion [slashdot.org] started off one thread of thought - some people definitely don't want any safeguards in place.

Thus the code of conduct should require that the ISP comply with the demands of the customer. The ISP could accomplish this by having two broad categories - "ON" and "OFF". In the "ON" group you have the people who want some kind of firewall at the ISP level. In the "OFF" group, you've got the people who prefer to handle the firewall themselves.

The ISP would still allow people in the "ON" group

Re:Opt-Out vs Opt-In?

[Grail]

The question arises: what responsibility does the ISP have towards preventing ping floods and SYN floods from chewing up quota on the OFF lists' connections?

I had a problem with one of my ISPs, where my connection was getting ping-flooded (one source, tens of packets per second, each of them about 200 bytes long). I was dropping all the excess pings on the floor (rate limiting), but the ISP was still charging me for the traffic.

Should the ISP put rate limiting for common abuses, should that be negotiated