[ previous ] [ next ] [ threads ]
 
 From:  "Bob Young" <bob at lavamail dot net>
 To:  <cdl at asgaard dot org>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] LAN/WISP block or WAN block ?
 Date:  Tue, 1 Aug 2006 23:11:34 -0400
Hi Chris:

I see what you are saying.  I'll be sure to have a limitation of liability
in my TOS.

I was trying to keep people from hogging the BW with p2p applications.  I
was worried that I could have one or two people, bring my WISP to its knees
if they download or upload like crazy.  I was trying to find a way to
protect my network from the BW hogs...lol.

Your point is well taken and sounds reasonable also.  I'll be sure to have a
lawyer look over my TOS.

I pretty much have most all my paperwork ready.  I even have my door hangers
ready to hand out.  The only hurdle left before I start my business, is I
want to learn how traffic shaper works.  After that I'll be handing out my
door hangers.  I hope I can get traffic shaper figured out before the end of
this week.

Thanks much for your kind information.

Regards,

Bob

-----Original Message-----
From: cdl at asgaard dot org [mailto:cdl at asgaard dot org] 
Sent: Tuesday, August 01, 2006 9:04 PM
To: Bob Young
Subject: Re: [m0n0wall] LAN/WISP block or WAN block ?

Bob,

I've run a few ISPs in my time (including a tier1) and none that I've ever
known does a deny all (that is more of a corporate approach).  My guess is
that you will not have eoo many customers with that approach.

Also, you can't mandate firewalls for your customer.  It is everone's given
right and constitutionally protected ability to be stupid.  You can advise,
suggest, and enable, but not require (well you can, but you would have no
way of enforcing).  If you do mandate it, you then have to support it wheb
it breaks, and you DON'T want to be a proxy windows support team.  You won't
have resources for anything else.

As far a p2p and porn control - it is a. Moving target you won't hit.  Most
p2p today is cloaked and masquerades as other traffic (also, there are
legitimate p2p uses).  Same with porn.

The position that most of us take is the common carrier model - we don't
filter anything, therefore we deny any sensorship liabilities.  If you do
filter anything, you open yourself to charges of restraint of free speech on
one hand, and lack of dilligence on the other.  If you filter porn, and
someone's Bobby finds a way past your filters (and Bobby WILL), Bobby's
parents sue you for dereliction of duty.  As you do filter some things, you
just gave them a stronger case.  Common Carrier policies are your friend.

Chris
  Sent via Blackberry  

-----Original Message-----
From: "Bob Young" <bob at lavamail dot net>
Date: Mon, 31 Jul 2006 19:58:10 
To:<m0n0wall at lists dot m0n0 dot ch>
Subject: RE: [m0n0wall] LAN/WISP block or WAN block ?

Hi Chris, krk, Andrew and everybody:
 
Thank you for your help and time.
 
I hope I'm responding properly here.  I'm just learning how to respond to
the lists responses.  It's so great that you all are here helping us
Monowall newbies out.  I'm sure happy I learned about Monowall.
 
To get to what you mentioned about network security, I'll try to explain why
I picked trying to block just certain data:
 
I'm going to use my Monowall in a WISP operation, whereby I won't know what
types of data and applications my WISP customers will be using.  
 
I figure I could take one of two different approaches:
1.  DENY MODE, whereby I allow only what I know is safe and deny all else (I
would use a "kill" rule at the end that blocks everything not permitted in a
previous rule).
2.  ALLOW MODE, whereby I will allow everything unless it is explicitly
denied.
 
In my WISP operation, if I blocked everything and allowed data I know to be
safe to pass, I still might be blocking valid data from my WISP customers,
since I probably will never know all the different valid applications they
will be running.  And I could get my WISP customers mad at me.  That's why I
was worried about blocking everything and allowing just some types of data
to pass.
 
So I decided to use the ALLOW MODE, and just block the data I know is
bad.but I probably won't get it all.  I will also require my customers to
use Zone Alarm on their computers, as an extra firewall measure.  Also I'll
tell my customers they can't run any P2P applications.although I don't know
how that will go over.  Plus I guess I'll have to get an MRTG program and
collect stats to see if any one customer is overloading my network.  I don't
want any power users.just average users.
 
And, in the Traffic Shaper, I'll put certain types of data at the top, like
VoIP, ACK, DNS.  And regular browsing will be a little below the VoIP.  And
P2P and what's left over will be put right at the bottom of the cue.although
I still have to learn how to set up my Traffic Shaper.I'm going to get to
that this week.
 
From what I have explained, does the allow mode seem ok for my WISP
operation?
 
Thank you all for your help,
 
 
Bob Young
 
--------------------------------------
 
On 7/31/06, C. Andrew Zook <andrewzook at pdqlocks dot com> wrote:
> If you are worried about the security of your network, it would be a lot
> safer to just block everything and allow only the ports that you need
> rather than try to figure out what bad ports to block.
> 
 
Yes.  Doing otherwise violates both #1 and (to a lesser extent) #2 of
The Six Dumbest Ideas in Computer Security.  I'll let Marcus explain.
http://ranum.com/security/computer_security/editorials/dumb/index.html
 
-Chris