|
 |
>> Now imagine if there were a standard, widely-implemented system for
>> letting the customer make those configuration changes themselves...
>> Let's face it, the ISP's routers are almost certainly remote-manageable
>> anyway. If the unwanted packets can be blocked at the entrance to the
>> ISP's network, they can save themselves the bother of having to route a
>> bunch of traffic. (Although the amount of data you can fire at one
>> customer is probably peanuts compared to the ISP network capacity.)
>>
>> Ah well, dream on...
>
> Then it would take 2.5 nanoseconds for a hacker to steal your
> credentials and make those changes for you. BLAM! total denial of service.
...or you could, you know, make it so the command interface is only
accessible from the customer's side of the firewall? Then they have to
actually hack the customer's system first.
> Some IDS/IPS vendors have programmed routines in their systems that can
> automatically change firewall rules in the event that they detect an
> attack, yet the majority of installations leave this feature turned off
> because people are afraid of false alerts blocking valid traffic, and
> having HAL in control of the pod bay doors.
>
> I'm sure ISPs feel the same way about having their customers be able to
> play with their firewall configs.
Well, yeah, you wouldn't want to give clueless users direct access to
the actual firewall configuration. You'd want some higher-level way of
allowing people to select "features" they want or don't want, and then
have some software manage translating that into actual IP configuration
changes. (For starters, there are going to be rules that the ISP don't
want users to be able to turn off...)
Post a reply to this message
|
|
