Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/26/2017
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What Role Should ISPs Play in Cybersecurity?

There are many actions ISPs could do to make browsing the Web safer, but one thing stands out.

For well over a decade, the security industry has debated what role Internet service providers (ISPs) should take in cybersecurity. Should they proactively protect their customers with upstream security controls and filters (e.g., intrusion prevention systems, IP/URL blacklists, malware detection, etc.), or are customers responsible for their own security?

ISPs can have a much wider impact on overall state security because of their advantageous position in the network (that is, acting as our doorway to the Internet). Still, there are good arguments against ISPs taking too much of a security role — many of which I agree with. Ultimately, I believe there is one thing IPSs must do to improve everyone’s security, but before we get into that, let me start with the arguments against ISPs taking too strong of a role.

1. Badly managed security controls can disrupt business or legitimate activities. If you’ve ever used an intrusion detection or prevention solution, you know they occasionally have false positives. These false positives can block legitimate traffic from paying customers. Although a normal business can manage these, doing so for thousands if not tens of thousands of customers would be a logistic nightmare.

2. Some security can invade privacy. Many security controls not only monitor where you go on the Internet but also deeply analyze the content of your traffic and log all activity for later forensic analysis. This opens up the possibility of ISPs using this data for other reasons (although technically, they could be doing this anyway). Still, giving ISPs access to more information about people’s Web browsing worries Internet privacy supporters.

3. Certain security comes off as censorship. What’s the difference between an inappropriate site and a dangerous site? Sometimes that's a gray area. Sometimes a website you want to visit may have had a malicious ad on it in the past and been blacklisted. Would you accept ISPs blocking it? Many kinds of ISP controls would feel like censorship because they take away freedom of choice.

4. ISPs can’t take liability for your mistakes. Simply put, we can’t hold ISPs liable for our security because they can’t control their customers. Even if an organization has the best security controls in the world, its people can still do dumb things that get them infected. For ISPs to get involved in security at all, we have to allow them to do so without liability for all our security issues.

5. Where does ISPs security stop? Should ISPs just monitor our traffic for known bad stuff? Should they firewall us? Should they enable intrusion prevention to block exploits? Should they filter bad sites? Should they scan our networks for vulnerabilities and block devices that haven’t been patched? Setting up regulations to keep ISPs from going too far down this slippery slope would be another serious logistical challenge.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

As far as preventative security controls go, I think ISPs can offer optional security services, but ultimately should leave it to their customers to decide whether to protect themselves or not. However, there is one thing all ISPs should do to protect everyone today: block IP address spoofing.

IP address spoofing is a very old and simple attack in which a malicious computer sends a network packet with a false source IP address. IP spoofing offers limited value in normal attacks, because when you send packets claiming to be from another computer, that other computer gets the replies, not you. However, IP spoofing does play a big role in one type of attack: distributed denial-of-service (DDoS) attacks. A reflective DDoS attack sends queries to particular services pretending to be the IP address of its victim. Those services will send large replies back to the victim, overwhelming them with traffic.

By definition, ISPs have full knowledge of the public IP addresses we all receive, and know which ones belong on their networks. With this information, IP spoofing is dead simple to detect and block.

In fact, for decades there have been common Internet standards and best common practices that detail exactly how network providers can prevent IP address spoofing by configuring routing devices to validate source addresses and block spoofed traffic. Some examples include RFC 2827, BCP 38, and the updated BCP 84. Most network gear, from routers to security appliances, offer simple features and filters to do just that. If all ISPs followed these long-held best practices, they could greatly lessen certain types of DDoS attacks, without adversely affecting their customers’ networks.

The good news is that many ISPs already do this. According to the Center for Applied Internet Data Analysis (CAIDA), around 70% of IP space is unspoofable, meaning many ISPs must be doing some filtering. The problem is that if even a few ISPs continue to allow spoofing, attackers can leverage those stragglers against others. If there is one thing we need to demand of all our ISPs, it’s to implement this one well-known common best practice.

So, while I don’t believe that ISPs should get too involved in security for the reasons listed above, IP spoofing is a network operator problem that could be easily fixed if the industry required all ISPs to follow best practices. Let’s make BCP 38 and 84 mandatory. 

Related Content:

 

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13173
PUBLISHED: 2020-05-28
Initialization of the pcoip_credential_provider in Teradici PCoIP Standard Agent for Windows and PCoIP Graphics Agent for Windows versions 19.11.1 and earlier creates an insecure named pipe, which allows an attacker to intercept sensitive information or possibly elevate privileges via pre-installing...
CVE-2019-6342
PUBLISHED: 2020-05-28
An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.
CVE-2020-11082
PUBLISHED: 2020-05-28
In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.
CVE-2020-5357
PUBLISHED: 2020-05-28
Dell Dock Firmware Update Utilities for Dell Client Consumer and Commercial docking stations contain an Arbitrary File Overwrite vulnerability. The vulnerability is limited to the Dell Dock Firmware Update Utilities during the time window while being executed by an administrator. During this time wi...
CVE-2020-13660
PUBLISHED: 2020-05-28
CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.