Internet.com
ISP-Planet Home


Sections
 ISP-Planet Home
 CLEC-Planet Home
 • About CLECs
 • Business
 • Expert Advice
  ISP/CLEC
 • Legal/Regulatory
 • Marketing
 • News
 • Technical

Search ISP-Planet


Search internet.com

Newsletters!
 ISP-Planet Weekly
Text HTML

 

 

internet.com

  IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

internet.commerce
Partner With Us

   
CLEC Getting Started

Securing Residential Broadband Connections:The Personal Firewall Approach

By Lisa Phifer
Core Competence, Inc.

Last month, EarthLink (www.earthlink.net) joined the growing camp of residential broadband providers using personal firewalls to address subscriber concerns about Internet security. "It's important that all our DSL customers feel secure," said Mike Lunsford, EarthLink's executive VP of broadband services. "Security has become one of the top concerns for those considering broadband access."

To break through this barrier to market growth, EarthLink plans to provide both new and existing DSL subscribers with free personal firewall software. PC-based subscribers will receive a redeemable electronic coupon to download Symantec's Norton Personal Firewall. Mac subscribers aren't left flapping in the wind -- they can download Open Door's DoorStop (www.opendoor.com). Both products are designed to prevent surreptitious outsider access to Internet-connected desktops by blocking ports and raising alerts when intrusion attempts are detected.

Growing Trend
EarthLink is not alone in applying a personal firewall bandaid to safeguard residential broadband PCs. In January, Excite@Home announced that it would offer a free 90-day account and discounted subscription for McAfee.com's Personal Firewall. "Excite@Home is committed to bringing the best security tools available to our customers", said @Home president of subscriber networks Adam Grosser. "Through our affiliation with McAfee.com, our customers can get added features that provide deeper protection capabilities."

Prodigy's DSL subscribers can freely download ZoneAlarm, a personal firewall that includes mail attachment scanning and unattended PC lock-down. According to Prodigy, "Every time you go out on the Net, hackers could drop in on your computer. Rest Eazy with our free Internet security blanket."

Even wholesalers are getting in on the action. Covad Communications provides on-line guidance regarding Internet security issues. In its "Tips To Keep You & Your Information Safe", Covad suggests that home users use a personal firewall. "Covad recognizes the importance of addressing Internet security issues and informing users about how to keep their information safe. Just like people take precautionary measures to protect their cars and home from being broken into, people need to be aware and take the necessary measures to safeguard themselves in the online world." Covad's on-line guide does not single out a specific firewall, but notes that "hundreds" exist, some of them free.

Rattled Door Knobs, and More
What are residential broadband subscribers so worried about? Desktop exposure to the Internet is significantly increased when a residential user upgrades from dial-up to DSL or cable modem. And, very important from a psychological standpoint: these users lose control over their Internet connection. DSL and cable providers can argue about features that impact security, like broadcast vs. dedicated media and static vs. dynamic IP addressing. But, when it comes down to it, many residential users are confused and scared by this techie one-ups-manship. Like the imaginary monster who hides under the bed at night, residential users worry that something sinister lies in wait when they leave their desktop connected to the Internet, 24 hours a day. Personal firewalls help users regain that feeling of control by watching over unattended desktops, and letting users see what happened while they weren't looking.

But, unlike the imaginary monster, this threat is real. Residential users who monitor access may be surprised by how often they get scanned -- and shocked by what the scanners find. According to the Yankee Group, most broadband users (70-80%) have had their system probed. Many probes are harmless "door knob rattling." It isn't difficult for a "script kiddie" to locate an address block registered by a broadband provider, then use a scanner to find unprotected desktops listening to well-known ports.

Unfortunately, countless users, whether connecting over dial-up, DSL, or cable, unwittingly expose information through Microsoft file sharing (installed with Windows by default). "Any live connection to the Internet is getting poked by the 'alternative security engineers' in the hopes that it yields unauthorized access to networks and information," said Tina Darmohray, a consultant who teaches about firewall best practices at TISC. Furthermore, the threat is not limited to personal data. "These connections are often used to access corporate networks, or may provide direct access to sensitive [corporate] information," said Darmohray.

McAfee's Director of Technical Marketing Philip Attfield warns that unprotected residential PCs can be exploited by hackers seeking to "install an agent to launch a Distributed Denial of Service (DDOS) attack". DDOS attacks can employ hundreds of PCs, compromised by someone who planted a "trojan horse". Trojans are destructive code, hidden inside a seemingly-harmless executable. DDOS trojans may not harm the user's PC. But, at a scheduled time, trojans awaken and, together, generate a massive attack on the target: typically, a web site so flooded with bogus connections that it can no longer service customer requests.

As CLEC-Planet columnist Dave Burstein concluded, "Good thing top hackers are explorers, not malicious." Burstein warns that DSL LECs who claim there is no security threat leave themselves exposed to legal action if and when a costly intrusion occurs. "Obscure warnings on your web site would be no defense in court if a meticulous lawyer found comments like these or simply proved negligence."

Taking Action
Residential broadband providers have several alternatives for securing subscriber lines, and they are not mutually exclusive.

David Graves, Managing Director, ISP Architecture, at BroadView, is implementing a two tier strategy for business and residential DSL. "When the user has a router, we'll manage the built-in firewall," said Graves. For individual users with modems, "We'll be making use of packet filtering inherent in our aggregators to create virtual firewalls for DSL users. We also have extensive intrusion detection on our own network, including trap doors. So, if we find any port scanners, it's goodbye BroadView, hello /dev/null."

Offering security as a managed service can be attractive from a consumer standpoint. "The Internet is still more complicated than most people want, so we manage it for them," said Graves. "Our goal is not to build Fort Know, but to make sure that all of the windows and doors are locked. For the average user, we provide a service that gives a reasonable level of protection."

But packet filters can be a maintenance headache for the LEC. BroadView will offer a control panel for the small percentage of users they expect to want custom filters. But even choosing a default policy for residential users can be tricky. "We're still tangling about whether the default setting for the single user comes with filters on or off -- opt-in or opt-out," said Graves. "We're trying to figure out if more people will be annoyed by hacking, or annoyed because their Napster doesn't work if we install filters."

Businesses and residential power users that connect entire LANs rather than individual desktops can be protected with filters on the router or Internet appliance at the customer premises. Many providers go the way of BroadView, configuring defaults that block incoming traffic, leaving customization up to the subscriber. Firewall experts like Darmohray can easily configure these filters. Perhaps most businesses can also do so, with assistance from their provider. But the average residential subscriber? He or she probably uses a modem, or treats the bridge/router as a black box, best left untouched.

Thus, for the single-desktop residential broadband user, personal firewall software use is growing. The golden rule in the residential market: "Keep it simple." Fred Avolio, a colleague who teaches virtual private networking at N+I and TISC, put it rather succinctly. "It would not only be beneficial, but good business for DSL/cable providers to offer residential subscribers personal firewall software and anti-virus software when they sign up. These should be accompanied by a short booklet explaining why both are so important to the home user." In other words, don't just hand out personal firewall software -- select it carefully, and tell your subscribers how to use it.

Selecting A Personal Firewall
Many personal firewalls start with packet filters that block incoming traffic while enabling outgoing traffic. To avoid teaching home users about port numbers and packet filters, look for software that hides everything under a "security level" knob. For example, BlackICE Defender (www.networkice.com) offers "Cautious" protection by default (block incoming traffic to well-known TCP and UDP ports). Sybergen Secure Desktop (www.sybergen.com) can be set to UltraHigh (block all), Medium (allow common services), Low (allow all but detect attacks) and Disabled. ZoneAlarm (www.zonelabs.com) uses levels, but adds an "Internet Lock" to cut off traffic when a lock button is pushed or the PC is left unattended.

Many personal firewalls make it easy to block Microsoft file sharing; some do this by default. Some have "pass through" buttons to simplify filter re-configuration for common exceptions, like virtual private networks. Some personal firewalls also protect against unintended outgoing traffic (e.g., trojans) by monitoring desktop application activity. For example, ZoneAlarm and MacAfee.com Personal Firewall ask for permission before letting Internet Explorer or Eudora connect to the Internet for the first time.

Most personal firewalls provide an activity log to alert the user to attempted intrusions. Some products add pop-ups or email notifications. BlackICE Defender includes a real-time graph of attempted attacks and network traffic; individual attacks are hot-linked to online advice on how to address each type of attack. Once you've given subscribers the ability to detect intruders, it's important to help them separate innocuous door-rattling from noteworthy events. The signal-to-noise ratio can be high, and you don't want your help desk flooded with calls that could have been avoided with better documentation.

Many personal firewalls are bundled with other security tools. For consumer privacy, Norton Personal Firewall blocks web sites from depositing unwanted cookies. Aladdin's eSafe Protect Desktop (www.ealaddin.com) includes anti-virus scanning and "sandboxes" for safer application execution. Zone Alarm scans email attachments. Another popular add-on is URL filtering for child-safe surfing. Every product has its own unique spin; these are just a few examples.

Do whatever you can to make sure that most subscribers will be satisfied with your firewall's default settings. Collaborate with a personal firewall vendor to package a version that fits your service, if necessary. Unfortunately, there are always exceptions. Customization is a double-edged sword: expose too much detail and you'll scare off the average residential user. Eliminate all configuration options and you're left with rigid, inflexible software of limited utility. While things are improving, I have yet to find a personal firewall that wouldn't bewilder the average user when advanced settings are required. One interesting approach to this problem: centralized management tools that let the provider make customizations (e.g., Sybergen Management Server). Another interesting approach to reduce on-going software update: personal firewall application services (e.g., McAfee.com, myCIO.com).

Conclusion
Broadband providers like EarthLink, Excite@Home, Prodigy, BroadView, and others have shown that they are paying attention to subscriber concern about Internet security. Making personal firewalls available to residential subscribers may not be the perfect solution for everyone: I still can't imagine asking my grandmother to install one, no matter how simple the GUI might appear. But showing you care about security may make the difference between a new subscriber and a lost sale.

Lisa Phifer is vice president of Core Competence, a network consulting firm located in Chester Springs, PA.  She has been involved in OSS design and development for local and inter-exchange carriers for nearly a decade.

ISP News
IDC: Microsoft's Yahoo Deal Could be a Big Hit
Ballmer Fills in 'Software-Plus-Services' Plan
Report: Enterprise Search Will Top $1 Billion by 2010

More >

Best of ISP-Planet

ISP Glossary
Find an ISP Term

   

 

Feedback

Advertising inquiry? Click here!

ISP-Planet's RSS feed



JupiterOnlineMedia

internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info


Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers
Solutions
Whitepapers and eBooks
Microsoft Article: Will Hyper-V Make VMware This Decade's Netscape?
Microsoft Article: BitLocker Encryption on Windows Server 2008
Go Parallel Article: Intel Thread Checker, Meet 20 Million LOC
IBM Whitepaper: Innovative Collaboration to Advance Your Business
Internet.com eBook: Real Life Rails
Avaya Article: Call Control XML - Powerful, Standards-Based Call Control
Tripwire Whitepaper: Seven Practical Steps to Mitigate Virtualization Security Risks
Internet.com eBook: The Pros and Cons of Outsourcing
Internet.com eBook: Best Practices for Developing a Web Site
 IBM CXO Whitepaper: The 2008 Global CEO Study "The Enterprise of the Future"
Avaya Article: Call Control XML in Action - A CCXML Auto Attendant
Go Parallel Article: James Reinders on the Intel Parallel Studio Beta Program
IBM CXO Whitepaper: Unlocking the DNA of the Adaptable Workforce--The Global Human Capital Study 2008
Adobe Acrobat Connect Pro: Web Conferencing and eLearning Whitepapers
Go Parallel Article: Getting Started with TBB on Windows
HP eBook: Storage Networking , Part 1
MORE WHITEPAPERS, EBOOKS, AND ARTICLES
Webcasts
Go Parallel Video: Intel(R) Threading Building Blocks: A New Method for Threading in C++
HP Video: Is Your Data Center Ready for a Real World Disaster?
Microsoft Partner Portal Video: Microsoft Gold Certified Partners Build Successful Practices
HP On Demand Webcast: Virtualization in Action
Go Parallel Video: Performance and Threading Tools for Game Developers
 Rackspace Hosting Center: Customer Videos
Intel vPro Developer Virtual Bootcamp
HP Disaster-Proof Solutions eSeminar
HP On Demand Webcast: Discover the Benefits of Virtualization
MORE WEBCASTS, PODCASTS, AND VIDEOS
Downloads and eKits
Amyuni Download: PDF & XPS Engine for Your .NET and ActiveX Applications
Microsoft Download: Silverlight 2 Software Development Kit Beta 2
30-Day Trial: SPAMfighter Exchange Module
Red Gate Download: SQL Toolbelt
Iron Speed Designer Application Generator
Microsoft Download: Silverlight 2 Beta 2 Runtime
MORE DOWNLOADS, EKITS, AND FREE TRIALS
Tutorials and Demos
IBM IT Innovation Article: Green Servers Provide a Competitive Advantage
Microsoft Article: Expression Web 2 for PHP Developers--Simplify Your PHP Applications
 MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES