You can put the security in the core network

Commentary — It is troubling to read a network security-related rant on eWeek where the columnist misses obvious points.

Quoting the eWeek story:

It is not uncommon for support workers at ISPs to tell users who call in for assistance to turn off anti-virus programs and firewalls before any help can be provided. I guess virus
– and worm-ridden computers are much easier to troubleshoot and support. (…)

But maybe anti-virus programs and firewalls are overrated as security tools. In a response to my column, IT consultant Triona Guidry told me that a support person at an ISP informed one of her clients that he didn’t need these kinds of tools because the ISP network already had them.

I would really love to see that ISP network?it must be almost magical. Why, this ISP apparently has been able to pull off a level of network-based protection that would make any corporation or government envious.

It is true that ISPs ask users to turn their anti-virus and firewall software off. I’ve experienced this once. I answered “no way” to the friendly prompt. The operator replied: “I’m sorry, I can’t do anything for you if you do not cooperate.” This pissed me off so much — I had spent half a day configuring a server and this clueless person wanted me to let viruses in?!? — that they eventually escalated the call. And level-3 tech support acknowledged I merely needed to answer ICMP-related queries. So if anything, the main problem comes from the lack of a skilled workforce involved in level-1 tech support. And who can blame the ISPs for this? Most of the time, users just need help to configure MS-Outlook. Do you really expect these same users to configure their firewall to let ICMP in and out?

Speaking of level-1 tech support, here’s a tip if you don’t like to deal with them: When you call your ISP’s tech support, immediately ask for level-2 or level-3 support. They’ll usually let you through if you ask them to confirm your diagnosis in a straightforward manner, e.g. “, named blah.isp.domain is one of your machines, right? I trace my packets until there but it looks like something is down right behind it. Thank you for passing me on to someone who can tell me how long it will take to solve the issue.” If this doesn’t work, hang up, find the Head of Technical Support or the Head of Technology using a search engine, call the company’s HQ and ask to speak to him. When prompted to leave a message, ask what the guy in charge of network operations’ name is and whether he or one of his colleagues is available. If they don’t put you through at this point, call a random person in the company. As in: “Oops, I’m so sorry, I thought I dialed [guy in charge of network operations’ name]’s phone number. Would you mind transferring me please?” Oh, and… Don’t forget to immediately ask for a direct phone number upon getting the right person — before he understands you just bypassed the entire support procedure.

Regarding whether you need an anti-virus and a firewall, I would challenge the relevance of the antivirus at the very least. I have no antivirus, but I’ve a tool that protects my registry settings. Technically, however, it never has been necessary in the past years. My two firewalls — one on the router, and one on the PC — have blocked every single threat. Why? Because Windows viruses don’t usually target Cisco software. Because I’ve disabled active components almost entirely on my browser. And because I read my emails as plain text. Thus, exposure is minimal.

But do I really need the firewall at all? It depends. A firewall is meant to reduce your exposure to security threats, so technically, I’d say you want an active firewall on every device. However, if you are a clueless user with a single computer, as is the case with many ISP customers, you might prefer that the ISP takes care of it. Which he can, since multiservice access routers let you manage firewalls, VPNs and antiviruses from within your network’s core. Compare your internet connection with a tunnel. Putting the security measures at one end or the other makes no difference whatsoever. Hence, you might as well put the firewall, VPN and antivirus at the edge the ISP is managing rather than at the edge the user is managing. If you’re a company, however, things are different: As soon as you have two devices, you want firewalls around.

Comments on You can put the security in the core network

  1. James Rapoza, the column’s author, sent the following answer by email:

    Thanks for the response.

    You make many excellent points about asking for higher-level support when calling in, though many don’t do this.

    I also agree that advanced users often don’t need anti-virus software. But of course most users aren’t even competant, never mind advanced. Many of the personal firewall programs are either straight out bad or too complex for regular users to configure and use properly. And I also understand that when used improperly these programs can either cause communication problems or lead clueless users to think that they have a connection problem.

    All that said, I still think that shutting off a firewall needs to be the last step in a support situation. Many users install stuff they know nothing about that hoses their computer. In this situation it’s pretty much a given that this person’s PC is probably loaded with spyware or worse trojans that will attack and infect other computers on the internet. The only thing keeping these things from attacking others is that poorly configured piece of garbage personal firewall. In this situation I think the doctor saying of “first do no harm” should apply.

    A lot of ISPs have started offering different types of programs to their subscribers to make things more attractive such as pop-up blockers and other tools. A potential solution is for ISPs to offer a firewall to their subscribers (either as part of the subscription or an upgrade price). This firewall can be pre-configured and the support personnel will know it well enough to probably deal with most problems.

    One last thing. If there was one thing I could go back and change about the column, I would make it clear that all of the original issues I mentioned were from large telecom and cable ISPs, and also state that this is an opportunity for smaller ISPs who typically provide much better support then the big guys.