Endpoint
4/26/2017
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What Role Should ISPs Play in Cybersecurity?

There are many actions ISPs could do to make browsing the Web safer, but one thing stands out.

For well over a decade, the security industry has debated what role Internet service providers (ISPs) should take in cybersecurity. Should they proactively protect their customers with upstream security controls and filters (e.g., intrusion prevention systems, IP/URL blacklists, malware detection, etc.), or are customers responsible for their own security?

ISPs can have a much wider impact on overall state security because of their advantageous position in the network (that is, acting as our doorway to the Internet). Still, there are good arguments against ISPs taking too much of a security role — many of which I agree with. Ultimately, I believe there is one thing IPSs must do to improve everyone’s security, but before we get into that, let me start with the arguments against ISPs taking too strong of a role.

1. Badly managed security controls can disrupt business or legitimate activities. If you’ve ever used an intrusion detection or prevention solution, you know they occasionally have false positives. These false positives can block legitimate traffic from paying customers. Although a normal business can manage these, doing so for thousands if not tens of thousands of customers would be a logistic nightmare.

2. Some security can invade privacy. Many security controls not only monitor where you go on the Internet but also deeply analyze the content of your traffic and log all activity for later forensic analysis. This opens up the possibility of ISPs using this data for other reasons (although technically, they could be doing this anyway). Still, giving ISPs access to more information about people’s Web browsing worries Internet privacy supporters.

3. Certain security comes off as censorship. What’s the difference between an inappropriate site and a dangerous site? Sometimes that's a gray area. Sometimes a website you want to visit may have had a malicious ad on it in the past and been blacklisted. Would you accept ISPs blocking it? Many kinds of ISP controls would feel like censorship because they take away freedom of choice.

4. ISPs can’t take liability for your mistakes. Simply put, we can’t hold ISPs liable for our security because they can’t control their customers. Even if an organization has the best security controls in the world, its people can still do dumb things that get them infected. For ISPs to get involved in security at all, we have to allow them to do so without liability for all our security issues.

5. Where does ISPs security stop? Should ISPs just monitor our traffic for known bad stuff? Should they firewall us? Should they enable intrusion prevention to block exploits? Should they filter bad sites? Should they scan our networks for vulnerabilities and block devices that haven’t been patched? Setting up regulations to keep ISPs from going too far down this slippery slope would be another serious logistical challenge.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

As far as preventative security controls go, I think ISPs can offer optional security services, but ultimately should leave it to their customers to decide whether to protect themselves or not. However, there is one thing all ISPs should do to protect everyone today: block IP address spoofing.

IP address spoofing is a very old and simple attack in which a malicious computer sends a network packet with a false source IP address. IP spoofing offers limited value in normal attacks, because when you send packets claiming to be from another computer, that other computer gets the replies, not you. However, IP spoofing does play a big role in one type of attack: distributed denial-of-service (DDoS) attacks. A reflective DDoS attack sends queries to particular services pretending to be the IP address of its victim. Those services will send large replies back to the victim, overwhelming them with traffic.

By definition, ISPs have full knowledge of the public IP addresses we all receive, and know which ones belong on their networks. With this information, IP spoofing is dead simple to detect and block.

In fact, for decades there have been common Internet standards and best common practices that detail exactly how network providers can prevent IP address spoofing by configuring routing devices to validate source addresses and block spoofed traffic. Some examples include RFC 2827, BCP 38, and the updated BCP 84. Most network gear, from routers to security appliances, offer simple features and filters to do just that. If all ISPs followed these long-held best practices, they could greatly lessen certain types of DDoS attacks, without adversely affecting their customers’ networks.

The good news is that many ISPs already do this. According to the Center for Applied Internet Data Analysis (CAIDA), around 70% of IP space is unspoofable, meaning many ISPs must be doing some filtering. The problem is that if even a few ISPs continue to allow spoofing, attackers can leverage those stragglers against others. If there is one thing we need to demand of all our ISPs, it’s to implement this one well-known common best practice.

So, while I don’t believe that ISPs should get too involved in security for the reasons listed above, IP spoofing is a network operator problem that could be easily fixed if the industry required all ISPs to follow best practices. Let’s make BCP 38 and 84 mandatory. 

Related Content:

 

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.