|
|
|
|
|
|
Sections
•
ISP-Planet
Home
•
CLEC-Planet Home
•
About CLECs
•
Business
•
Expert Advice
•
ISP/CLEC
•
Legal/Regulatory
•
Marketing
•
News
•
Technical
|
|
||||||||
Securing Residential Broadband Connections:The Personal Firewall Approach
By Lisa PhiferCore Competence, Inc.
Last month, EarthLink (www.earthlink.net) joined the growing camp of residential broadband providers using personal firewalls to address subscriber concerns about Internet security. "It's important that all our DSL customers feel secure," said Mike Lunsford, EarthLink's executive VP of broadband services. "Security has become one of the top concerns for those considering broadband access."
To break through this barrier to market growth, EarthLink plans to provide both new and existing DSL subscribers with free personal firewall software. PC-based subscribers will receive a redeemable electronic coupon to download Symantec's Norton Personal Firewall. Mac subscribers aren't left flapping in the wind -- they can download Open Door's DoorStop (www.opendoor.com). Both products are designed to prevent surreptitious outsider access to Internet-connected desktops by blocking ports and raising alerts when intrusion attempts are detected.
Growing Trend
EarthLink is not alone in applying a personal firewall bandaid to
safeguard residential broadband PCs. In January, Excite@Home announced
that it would offer a free 90-day account and discounted subscription
for McAfee.com's Personal Firewall. "Excite@Home is committed to
bringing the best security tools available to our customers", said
@Home president of subscriber networks Adam Grosser. "Through our
affiliation with McAfee.com, our customers can get added features that
provide deeper protection capabilities."
Prodigy's DSL subscribers can freely download ZoneAlarm, a personal firewall that includes mail attachment scanning and unattended PC lock-down. According to Prodigy, "Every time you go out on the Net, hackers could drop in on your computer. Rest Eazy with our free Internet security blanket."
Even wholesalers are getting in on the action. Covad Communications provides on-line guidance regarding Internet security issues. In its "Tips To Keep You & Your Information Safe", Covad suggests that home users use a personal firewall. "Covad recognizes the importance of addressing Internet security issues and informing users about how to keep their information safe. Just like people take precautionary measures to protect their cars and home from being broken into, people need to be aware and take the necessary measures to safeguard themselves in the online world." Covad's on-line guide does not single out a specific firewall, but notes that "hundreds" exist, some of them free.
Rattled Door Knobs, and More
What are residential broadband subscribers so worried about? Desktop
exposure to the Internet is significantly increased when a residential
user upgrades from dial-up to DSL or cable modem. And, very important
from a psychological standpoint: these users lose control over their
Internet connection. DSL and cable providers can argue about features
that impact security, like broadcast vs. dedicated media and static vs.
dynamic IP addressing. But, when it comes down to it, many residential
users are confused and scared by this techie one-ups-manship. Like the
imaginary monster who hides under the bed at night, residential users
worry that something sinister lies in wait when they leave their desktop
connected to the Internet, 24 hours a day. Personal firewalls help users
regain that feeling of control by watching over unattended desktops, and
letting users see what happened while they weren't looking.
But, unlike the imaginary monster, this threat is real. Residential users who monitor access may be surprised by how often they get scanned -- and shocked by what the scanners find. According to the Yankee Group, most broadband users (70-80%) have had their system probed. Many probes are harmless "door knob rattling." It isn't difficult for a "script kiddie" to locate an address block registered by a broadband provider, then use a scanner to find unprotected desktops listening to well-known ports.
Unfortunately, countless users, whether connecting over dial-up, DSL, or cable, unwittingly expose information through Microsoft file sharing (installed with Windows by default). "Any live connection to the Internet is getting poked by the 'alternative security engineers' in the hopes that it yields unauthorized access to networks and information," said Tina Darmohray, a consultant who teaches about firewall best practices at TISC. Furthermore, the threat is not limited to personal data. "These connections are often used to access corporate networks, or may provide direct access to sensitive [corporate] information," said Darmohray.
McAfee's Director of Technical Marketing Philip Attfield warns that unprotected residential PCs can be exploited by hackers seeking to "install an agent to launch a Distributed Denial of Service (DDOS) attack". DDOS attacks can employ hundreds of PCs, compromised by someone who planted a "trojan horse". Trojans are destructive code, hidden inside a seemingly-harmless executable. DDOS trojans may not harm the user's PC. But, at a scheduled time, trojans awaken and, together, generate a massive attack on the target: typically, a web site so flooded with bogus connections that it can no longer service customer requests.
As CLEC-Planet columnist Dave Burstein concluded, "Good thing top hackers are explorers, not malicious." Burstein warns that DSL LECs who claim there is no security threat leave themselves exposed to legal action if and when a costly intrusion occurs. "Obscure warnings on your web site would be no defense in court if a meticulous lawyer found comments like these or simply proved negligence."
Taking Action
Residential broadband providers have several alternatives for securing
subscriber lines, and they are not mutually exclusive.
David Graves, Managing Director, ISP Architecture, at BroadView, is implementing a two tier strategy for business and residential DSL. "When the user has a router, we'll manage the built-in firewall," said Graves. For individual users with modems, "We'll be making use of packet filtering inherent in our aggregators to create virtual firewalls for DSL users. We also have extensive intrusion detection on our own network, including trap doors. So, if we find any port scanners, it's goodbye BroadView, hello /dev/null."
Offering security as a managed service can be attractive from a consumer standpoint. "The Internet is still more complicated than most people want, so we manage it for them," said Graves. "Our goal is not to build Fort Know, but to make sure that all of the windows and doors are locked. For the average user, we provide a service that gives a reasonable level of protection."
But packet filters can be a maintenance headache for the LEC. BroadView will offer a control panel for the small percentage of users they expect to want custom filters. But even choosing a default policy for residential users can be tricky. "We're still tangling about whether the default setting for the single user comes with filters on or off -- opt-in or opt-out," said Graves. "We're trying to figure out if more people will be annoyed by hacking, or annoyed because their Napster doesn't work if we install filters."
Businesses and residential power users that connect entire LANs rather than individual desktops can be protected with filters on the router or Internet appliance at the customer premises. Many providers go the way of BroadView, configuring defaults that block incoming traffic, leaving customization up to the subscriber. Firewall experts like Darmohray can easily configure these filters. Perhaps most businesses can also do so, with assistance from their provider. But the average residential subscriber? He or she probably uses a modem, or treats the bridge/router as a black box, best left untouched.
Thus, for the single-desktop residential broadband user, personal firewall software use is growing. The golden rule in the residential market: "Keep it simple." Fred Avolio, a colleague who teaches virtual private networking at N+I and TISC, put it rather succinctly. "It would not only be beneficial, but good business for DSL/cable providers to offer residential subscribers personal firewall software and anti-virus software when they sign up. These should be accompanied by a short booklet explaining why both are so important to the home user." In other words, don't just hand out personal firewall software -- select it carefully, and tell your subscribers how to use it.
Selecting A Personal Firewall
Many personal firewalls start with packet filters that block incoming
traffic while enabling outgoing traffic. To avoid teaching home users
about port numbers and packet filters, look for software that hides
everything under a "security level" knob. For example,
BlackICE Defender (www.networkice.com) offers "Cautious"
protection by default (block incoming traffic to well-known TCP and UDP
ports). Sybergen Secure Desktop (www.sybergen.com) can be set to
UltraHigh (block all), Medium (allow common services), Low (allow all
but detect attacks) and Disabled. ZoneAlarm (www.zonelabs.com) uses
levels, but adds an "Internet Lock" to cut off traffic when a
lock button is pushed or the PC is left unattended.
Many personal firewalls make it easy to block Microsoft file sharing; some do this by default. Some have "pass through" buttons to simplify filter re-configuration for common exceptions, like virtual private networks. Some personal firewalls also protect against unintended outgoing traffic (e.g., trojans) by monitoring desktop application activity. For example, ZoneAlarm and MacAfee.com Personal Firewall ask for permission before letting Internet Explorer or Eudora connect to the Internet for the first time.
Most personal firewalls provide an activity log to alert the user to attempted intrusions. Some products add pop-ups or email notifications. BlackICE Defender includes a real-time graph of attempted attacks and network traffic; individual attacks are hot-linked to online advice on how to address each type of attack. Once you've given subscribers the ability to detect intruders, it's important to help them separate innocuous door-rattling from noteworthy events. The signal-to-noise ratio can be high, and you don't want your help desk flooded with calls that could have been avoided with better documentation.
Many personal firewalls are bundled with other security tools. For consumer privacy, Norton Personal Firewall blocks web sites from depositing unwanted cookies. Aladdin's eSafe Protect Desktop (www.ealaddin.com) includes anti-virus scanning and "sandboxes" for safer application execution. Zone Alarm scans email attachments. Another popular add-on is URL filtering for child-safe surfing. Every product has its own unique spin; these are just a few examples.
Do whatever you can to make sure that most subscribers will be satisfied with your firewall's default settings. Collaborate with a personal firewall vendor to package a version that fits your service, if necessary. Unfortunately, there are always exceptions. Customization is a double-edged sword: expose too much detail and you'll scare off the average residential user. Eliminate all configuration options and you're left with rigid, inflexible software of limited utility. While things are improving, I have yet to find a personal firewall that wouldn't bewilder the average user when advanced settings are required. One interesting approach to this problem: centralized management tools that let the provider make customizations (e.g., Sybergen Management Server). Another interesting approach to reduce on-going software update: personal firewall application services (e.g., McAfee.com, myCIO.com).
Conclusion
Broadband providers like EarthLink, Excite@Home, Prodigy, BroadView, and
others have shown that they are paying attention to subscriber concern
about Internet security. Making personal firewalls available to
residential subscribers may not be the perfect solution for everyone: I
still can't imagine asking my grandmother to install one, no matter how
simple the GUI might appear. But showing you care about security may
make the difference between a new subscriber and a lost sale.
Lisa Phifer is vice president of Core Competence, a network consulting firm located in Chester Springs, PA. She has been involved in OSS design and development for local and inter-exchange carriers for nearly a decade.
ISP-Planet's
RSS feed
