For well over a decade, the security industry has debated what role Internet service providers (ISPs) should take in cybersecurity. Should they proactively protect their customers with upstream security controls and filters (e.g., intrusion prevention systems, IP/URL blacklists, malware detection, etc.), or are customers responsible for their own security?
ISPs can have a much wider impact on overall state security because of their advantageous position in the network (that is, acting as our doorway to the Internet). Still, there are good arguments against ISPs taking too much of a security role — many of which I agree with. Ultimately, I believe there is one thing IPSs must do to improve everyone’s security, but before we get into that, let me start with the arguments against ISPs taking too strong of a role.
1. Badly managed security controls can disrupt business or legitimate activities. If you’ve ever used an intrusion detection or prevention solution, you know they occasionally have false positives. These false positives can block legitimate traffic from paying customers. Although a normal business can manage these, doing so for thousands if not tens of thousands of customers would be a logistic nightmare.
2. Some security can invade privacy. Many security controls not only monitor where you go on the Internet but also deeply analyze the content of your traffic and log all activity for later forensic analysis. This opens up the possibility of ISPs using this data for other reasons (although technically, they could be doing this anyway). Still, giving ISPs access to more information about people’s Web browsing worries Internet privacy supporters.
3. Certain security comes off as censorship. What’s the difference between an inappropriate site and a dangerous site? Sometimes that's a gray area. Sometimes a website you want to visit may have had a malicious ad on it in the past and been blacklisted. Would you accept ISPs blocking it? Many kinds of ISP controls would feel like censorship because they take away freedom of choice.
4. ISPs can’t take liability for your mistakes. Simply put, we can’t hold ISPs liable for our security because they can’t control their customers. Even if an organization has the best security controls in the world, its people can still do dumb things that get them infected. For ISPs to get involved in security at all, we have to allow them to do so without liability for all our security issues.
5. Where does ISPs security stop? Should ISPs just monitor our traffic for known bad stuff? Should they firewall us? Should they enable intrusion prevention to block exploits? Should they filter bad sites? Should they scan our networks for vulnerabilities and block devices that haven’t been patched? Setting up regulations to keep ISPs from going too far down this slippery slope would be another serious logistical challenge.
[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]
As far as preventative security controls go, I think ISPs can offer optional security services, but ultimately should leave it to their customers to decide whether to protect themselves or not. However, there is one thing all ISPs should do to protect everyone today: block IP address spoofing.
IP address spoofing is a very old and simple attack in which a malicious computer sends a network packet with a false source IP address. IP spoofing offers limited value in normal attacks, because when you send packets claiming to be from another computer, that other computer gets the replies, not you. However, IP spoofing does play a big role in one type of attack: distributed denial-of-service (DDoS) attacks. A reflective DDoS attack sends queries to particular services pretending to be the IP address of its victim. Those services will send large replies back to the victim, overwhelming them with traffic.
By definition, ISPs have full knowledge of the public IP addresses we all receive, and know which ones belong on their networks. With this information, IP spoofing is dead simple to detect and block.
In fact, for decades there have been common Internet standards and best common practices that detail exactly how network providers can prevent IP address spoofing by configuring routing devices to validate source addresses and block spoofed traffic. Some examples include RFC 2827, BCP 38, and the updated BCP 84. Most network gear, from routers to security appliances, offer simple features and filters to do just that. If all ISPs followed these long-held best practices, they could greatly lessen certain types of DDoS attacks, without adversely affecting their customers’ networks.
The good news is that many ISPs already do this. According to the Center for Applied Internet Data Analysis (CAIDA), around 70% of IP space is unspoofable, meaning many ISPs must be doing some filtering. The problem is that if even a few ISPs continue to allow spoofing, attackers can leverage those stragglers against others. If there is one thing we need to demand of all our ISPs, it’s to implement this one well-known common best practice.
So, while I don’t believe that ISPs should get too involved in security for the reasons listed above, IP spoofing is a network operator problem that could be easily fixed if the industry required all ISPs to follow best practices. Let’s make BCP 38 and 84 mandatory.