发新话题
打印

[转载]How Your ISP Protects You?

[转载]How Your ISP Protects You?

原始连接:http://www.cio.com/archive/110105/evil.html?page=1

In a mock courthouse earlier this year, the smack of a gavel opened a case for the ages. Behind one bench, the defendants: Internet service providers, on trial for not providing adequate security to their customers. Behind the other bench, the plaintiffs: fictional companies ravaged by distributed denial of service (DDoS) attacks. The jury: hundreds of IT security professionals, packed into a conference room at the Gartner IT Security Summit to watch it all unfold.

The plaintiffs argued that ISPs could do much more to improve security by scanning subscriber computers, monitoring traffic and shutting down suspicious network uses. The defendants claimed that performing such scans would violate user privacy and that it would be impossible to distinguish malicious traffic from legitimate e-mails.

Accusations flew. The plaintiffs equated ISP intransigence to that of a homeowner whose property is dangerous but doesn't buy a fence to keep others out. In response, the defendants said people should stay away from dangerous property; that safety is a responsibility that falls squarely on the individual. Next, in a rhetorical ploy, defense lawyers asked jurors if any of them would be willing to stay at a hotel that offered Internet access in exchange for the right to scan all computers for security vulnerabilities. Not one member of the audience raised a hand.

Around and around the two sides went, attacking each other like packs of wolves. The interchange got so heated at times that people almost forgot it was fake. Someday soon, however, this scenario could be real. As security threats such as DDoS attacks, identity theft and phishing continue to plague the Internet, ISPs find themselves under increasing pressure from business and consumers to eradicate risks before they get to the end users. Because ISPs control the pipes through which information is delivered, many customers, including CIOs, insist that service providers must play a more active role in securing the traffic that they deliver.

"Right now, all ISPs provide is entry to the Internet, period," says Stephen Warren, CIO of the Federal Trade Commission. "Believe me, it's in their best interests to get all the crap off their lines."

As Warren implies, the time for action is now. If water utilities can be required by state and local governments to deliver water that is clean and acceptable to drink, why can't ISPs be required to deliver data that is safe and threat-free? Such requirements would hold ISPs accountable for cleaning up their networks and force them to monitor traffic as it passes through their pipes for maliciousness of all kinds. Regulating ISPs in this way also would relieve at least some of the security burden from CIOs, freeing up more time, money and resources for other areas.

But so far, those types of government regulations and industrywide policies governing ISP security do not yet exist. In part, that's because ISPs came of age in the Wild West ethos of the Internet, and providers generally have been unwilling to spend the extra money and resources to secure the middle of the information pipe for all of their users. In addition, many ISPs think that if they become security cops or anything more than traffic carriers, they will be legally liable in the event of security breaches. They are also concerned about censorship issues and blocking legitimate e-mails that look like spam.

How valid are these concerns? Should ISP security be regulated much like utilities (and to a lesser extent, the airlines) are now? Are industrywide polices governing security even feasible? These were among the questions that jurors considered as they deliberated over a verdict at the Gartner mock trial. CIOs struggling to secure their own networks must stand among those who consider these questions and look for answers. After all, what's at stake is the viability of the Internet as a medium for commerce, communication and business connectivity into the 21st century and beyond.

"Security is something that everybody is accountable for—everybody including the ISPs," says Michael Vatis, an attorney at Steptoe & Johnson, a law firm in New York. "There has to be a better way to approach this than how we're doing it today."

The Wild Wild West
Much of the ISP industry's unregulated growth can be traced to the Telecommunications Act of 1996, the first major overhaul of telecommunications law in 62 years. The goal of the law was to create a free-market economy in which any single communications company could compete in any marketplace. According to Jonathan Zittrain, cofounder of Harvard Law School's Berkman Center for Internet and Society, the law and subsequent other FCC rulings opened the way for outfits promising to provide Internet service. All one needed to become an ISP was some cash, a few servers, the bandwidth to host real estate and a marketing plan to bring in customers. David McClure, president and CEO of the U.S. Internet Industry Association, estimates the number of ISPs today to be more than 400.

As ISPs grew helter-skelter, there was very little effort to standardize security on any level. The only real attempt came in 2003, when Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing (Can-Spam) Act, which established requirements for sending commercial e-mail, spelled out penalties for spammers and companies whose products are advertised in spam, and gave consumers the right to ask spammers to cease and desist.

The law has been less than successful so far. Ask any CIO about what keeps her up at night and the general answer is security. Since 2003, the number of security threats has skyrocketed, with the typical suspects being viruses, spam, phishing scams and spyware. The new kid on the block, the DDoS attack, complicates matters even more. In this scenario, hackers use computer worms to take over vulnerable computers on corporate networks around the world. Then they tie the computers together through an Internet relay chat (IRC) server called a botnet. Unified as one, the rogues (or zombies, as they're sometimes called) set their sights on one particular corporate Web server, and simultaneously bombard it with data requests until the burden brings it down. These networks are responsible for 50 percent to 80 percent of all denial of service spam, according to various estimates.

Even among CIOs who spend millions on security, actions to prevent these threats breed nervousness. How do you know your firewall is equipped with the latest intrusion prevention signatures? How do you stop other threats such as viruses and spam? Most important, how do you protect yourself against spyware programs that infect vulnerable endpoints and turn them into zombie computers that launch DDoS attacks upon command? Just when CIOs think they've got everything under control, the hackers outsmart them and devise new ways to compromise a network's security.

"We are constantly bombarded," says Dewitt Latimer, deputy CIO at Notre Dame University, where the challenges of an inherently open academic network have him constantly on edge. "I find myself wishing that ISPs would help us out a little bit, if for no other reason than to eliminate a fraction of the security problems we worry about on a day-to-day basis."

Latimer adds that he assumes anything that is not on a private network is insecure. But what if some of these issues were resolved before traffic ever arrived at the network door? Since all external traffic must, at some point, be transported over the Internet, many CIOs say there's no better way to secure it than by securing the pipes themselves. Because ISPs serve as the conduit for all traffic into and out of a network, CIOs say these providers should be scanning subscriber computers for viruses, monitoring traffic for active hack attacks, and shutting down suspected network users immediately to protect the safety and sanctity of the connection for everyone else.

Why ISPs Are So Hands-Off
Richi Jennings, an analyst with Ferris Research in San Francisco, says that many ISPs wash their hands of these issues because such security measures are neither cost-effective nor conducive to revenue generation. For ISPs to be successful, they need volume, and resources spent on filtering malware or scanning subscriber computers ultimately affect the bottom line, Jennings says.

A perfect example of this philosophy is the ISP help desk. File a spam complaint with an ISP and Jennings notes it can be days before you receive a response, if you receive one at all. In most cases, he says, the response is automated. Sure, the ISP could be filing complaints away and pursuing them at a later time, but Jennings says that despite recently publicized lawsuits in which ISPs sued spammers for violating the Can-Spam Act and older state laws, most violations fly under the radar, even after they're reported.

"Rather than expend resources to try and stop all of these threats, most ISPs are taking the opposite approach and doing nothing," Jennings says. "It's just not a priority."

Kevin Dickey, deputy CIO and CISO for Contra Costa County, Calif., recently experienced this firsthand. After an attempted DDoS attack on the county network, Dickey asked his ISP for incident reporting logs. Though many ISPs keep these logs, Dickey's did not. So it was very difficult for him to identify and fix the hole the hackers had used to launch the attack (eventually he did patch it). Dickey declines to name the ISP because he says he's generally happy with it, but admits that the entire experience shocked him into realizing that security wasn't as much of a priority for the ISP as he had been led to believe.

Lawyers wonder if one reason ISPs shy away from security is a legal one. According to Benjamin Wright, a Dallas attorney who participated in the mock trial and specializes in Internet law, ISPs don't want to guarantee security because that could conceivably put them at risk for a negligence or invasion of privacy lawsuit. Wright alleges that scanning subscriber computers could violate privacy laws even after the packet leaves the desktop. Also, what happens if an ISP conducts a scan and blocks 100 threats but misses one? Zittrain says that if ISPs start taking responsibility for more than just carrying traffic, they could be making themselves legally liable. No lawsuits have been filed for this kind of negligence so far, but Zittrain says that an ISP knowingly permitting a zombie computer to remain on its network, which then wreaks havoc, could find itself sued. However, he doubts ISPs can be held legally accountable unless they have promised to protect their customers completely. "That's precisely why they're not promising complete protection," Zittrain says.

Scanning isn't the only legal quagmire. Even if ISPs could scan all incoming e-mail, it's nearly impossible for them to distinguish between, for example, a computer being used in a DDoS attack and legitimate Internet traffic such as the Weatherbug, which automatically checks National Weather Service servers every five minutes for regional weather updates. And just as ISPs can get themselves into hot water for blocking legitimate e-mail from a network, Zittrain says, they also can cause trouble when they are overzealous in monitoring legitimate e-mail going out of a network.

"If a customer is sending out 25 messages a day and suddenly blasts 500, that's a red light that maybe they have a spam zombie in place," says Don Blumenthal, Internet Lab Coordinator at the FTC. "Of course it also might be that the customer has just become [Parent-Teacher Association] president and is using his work computer to send out some personal e-mails. You just never know."

Down the road, perhaps the biggest security challenge could come from the increased use of encryption. For instance, Vista, the new Microsoft operating system that is expected to debut next year, streamlines point-to-point encryption across the Internet. As a result, ISPs and security vendors alike may have trouble determining which e-mail packets are legitimate and which are malicious, possibly giving hackers unmitigated opportunities to wreak havoc everywhere.

The ISPs say it's not as if they don't care about security. But because they operate in a free-market economy, the decision to provide security is one each provider makes individually. America Online, Comcast, EarthLink and SBC—the four largest ISPs by number of subscribers, according to a June 2005 market report from JupiterResearch—all provide users with some rudimentary security services in the form of standard e-mail filtering and antispyware protection. EarthLink, SBC and some other ISPs also attempt to prevent virus and worm outbreaks by blocking traffic through Port 25, the server port used for simple mail transfer protocol, or SMTP, transmissions. (For more on how this works, read "The First Line of Defense".) Many other ISPs provide additional security to specific corporate customers at extra cost. And then there are those ISPs that don't bother with security at all.

ISP executives say a more standardized approach to security would be cost-prohibitive—and it might not be what their business customers want anyway. "When you're dealing with security, there's simply too much at stake for us to offer a one-size-fits-all solution that works for everybody," says Stan Barber, vice president of engineering operations for Verio, an ISP and a subsidiary of NTT Communications. "What's important for one company might not be important for another, and we need features that can scale."

You don't need to be a mathematician to see that this patchwork coverage puts everyone at risk. With bits and bytes traveling from one ISP's network to another, who's to say that a security threat stopped by one ISP filter won't escape another network that doesn't filter or does it inadequately? Gregg Mastoras, senior security analyst for North America with the network security solutions provider Sophos, says that once a threat gets past one ISP, it essentially has gotten past them all. Mastoras adds that since information on the Internet knows no borders, everyone is at risk. If the security that ISPs currently offer is really as good as they say it is, this wouldn't be a problem. Yet one just needs to look at the news today to know that corporations are getting hit hard by all manners of malfeasant code. The problem, says Mastoras, is that nothing exists to standardize security across the ISP industry, making everyone in the industry susceptible to the lowest common denominator.

How to Protect Yourself in the OK Corral
ISPs may not be able to get away with this free-market approach for long, if only because pressure from government, industry and consumer groups is growing. This May, the FTC said it would soon ask ISPs to make sure that their customers' computers haven't been hijacked by spammers with plans to create botnets. Though ISPs are not required to comply, the FTC suggested that service providers should identify computers on their networks that are sending out large amounts of e-mail and quarantine them if they are found to be zombies. One final recommendation from the FTC: Internet providers should route all customer e-mail through their own servers (as opposed to allowing individual users to route e-mails through their own servers).

ISP executives are optimistic that the industry can regulate itself. Dave Jevans, chairman of the Anti-Phishing Working Group, says a number of ISPs have already banded together to discuss security best practices. If the industry can't improve security on its own, there's always the possibility of regulating it through state or federal legislation, but that's something that most in the ISP industry firmly oppose. Howard Schmidt, president and CEO of R&H Security Consulting and a former official with the Department of Homeland Security, agrees that legislation is not the answer, saying that most ISPs would simply pass the cost of compliance along to users in the form of increased monthly and annual fees.

For Schmidt, there is another way. He suggests that government facilitate change simply by wielding its own purchasing power. If, for instance, government agencies offered ISPs a 10 percent premium to provide reliable security services across the board, Schmidt believes the agencies could get ISPs to comply in exchange for the extra cash. This change, in turn, could have a trickle-down effect that improves the situation for business customers and CIOs alike.

"With the government being a large purchaser of IT services, they have the ability to say, ‘Here's what I'm willing to pay for,' and actually pay for it," Schmidt says. "Having controls built in as part of government projects gives you the side benefit of making it happen for private companies."

In the meantime, the SANS Institute, a private security education organization, is planning to evaluate ISPs on the way they handle security and release an ISP Security Report Card this month. Alan Paller, director of research for SANS, says this card will outline the steps CIOs can take to seek a greater level of security from their ISPs. (For more on this, see "ISP Essentials," this page.) In addition, Jennings, the Ferris Research analyst, says CIOs should combine whatever basic protections their ISPs offer with a customized security infrastructure comprising hardware and software for a multilayered approach that incorporates two or three antivirus engines (at the perimeter and on the desktop machines), a firewall, intrusion prevention software and any other functions that specifically suit an organization's needs.

One area in which Paller says CIOs can advocate for better security from ISPs is through their service-level agreements, or SLAs. Traditionally, these performance contracts with the ISPs loosely have covered issues such as uptime and maintenance or support. However, Paller suggests that CIOs should consider at least trying to get their ISPs to agree to incorporate security metrics such as virus scanning, DDoS monitoring and incident reporting, as well.

SLA clauses, however, are no panacea. Bob Paarlberg, CIO at Royster-Clark, an agri-business company, says that putting security into an SLA will do nothing but lull CIOs into complacency—not exactly a state that engenders secure networks. "Our SLA is that we don't sign a long-term agreement," Paarlberg quips. "If you do a good job for us this month, you earn the business from us next month. That's it."

Ultimately, Paarlberg contends, the best way to get ISPs to tackle security is to force them to bake-in additional security by law. Just look at what happened in the airline industry. Years ago, scanning passengers for security threats was the responsibility of individual airports. The result, of course, changed our nation forever: Terrorists took advantage of the weak points in the system, and successfully orchestrated the attacks of Sept. 11, 2001. In the aftermath, the federal government created the Transportation Security Administration to set policy for securing air travel nationwide. Today, whether you're traveling from Baltimore, Md., or Billings, Mont., you and everyone else on your flight are screened the same way, and by and large, the system is a lot safer than it was before.

"At the end of the day, ISPs need to be held accountable for more of these violations," Paarlberg says. "If they're going to continue to bring threats to our doorsteps, something must be done."
曾几何时,有人对我说:装B遭雷劈。我说:去你妈的。于是,这个人又对我说:如果再说脏话,上帝会惩罚你的。我说:我操上帝。结论:彪悍的人生不需要上帝。

TOP

你的网际服务如何保护你?
今年稍早在一个假的法院中,槌的风味为年龄打开了一个情形。 在一张长椅子后面,被告: 英特网服务提供者, 在试验上为不提供适当的安全给他们的客户。 在另一个长椅子后面,原告: 被服务 (DDoS) 的分配否认毁坏的虚构公司攻击。 陪审团: 数以百计资讯科技安全专业人士, 进入在 Gartner 资讯科技安全高峰会的一个会议房间之内包装全部看它展开。

原告争论了网际服务可以更加多做藉由扫描签署者计算机,监听交通而且关闭可疑的网络使用改善安全。 被告宣称,表演的如此扫描会违犯使用者隐私而且区别来自合法的电子邮件的怀恶意的交通会是不可能的。

控告飞。 原告视网际服务不妥协为危险的但是不买围墙把其它留在外的屋主。 在回应中,被告说了人应该从危险的财产离开 ; 那安全是职责以方形地在个体身上落下。如果他们之中的任何一个会愿意停留在一间为安全易受伤对于交换提供英特网通路让权利扫描所有的计算机的旅馆,然后,在一个修辞学的工作中,辩护律师问了陪审员。 不是听众的一个成员举起了一只手。

在附近和在二边的周围去,攻击像狼的包裹一样的彼此。 交换有时如此热了人几乎忘记它是假货。 有一天很快,然而,这一个情节可能是真正的。 就如安全威胁 , 像是 DDoS 攻击,身份窃盗和 phishing 继续折磨英特网的, 在他们到达使用者之前 , 网际服务在来自生意和消费者的逐渐增加的压力之下找他们自己根除危险。 因为网际服务控制管完成的哪一数据被递送,许多客户,包括信息长,坚持服务供给者一定在固定他们递送的交通方面扮演一个比较活跃的角色。

"立刻,所有的网际服务提供是进入给英特网,时期",史蒂芬养兔场,联邦贸易委员会的信息长说。 " 相信我, 资讯科技是在他们的最好地兴趣使所有的掷两个骰子出现的输数目远离他们的台词".

当养兔场暗示, 时间因为行动现在。 如果水公用程序能被州和地方政府需要递送干净的和可接受喝的水, 为什么能不网际服务是递送保险箱和无威胁的数据所必要者? 如此的需求会支撑网际服务有责任的因为在他们的网络上面清洁而且强迫他们检测交通当做它为所有类型的怀恶意通过他们的管。 这样管理网际服务也会至少减轻来自信息长的一些安全负担,为其他的区域在较多的时间,钱和资源上面释放。

但是到现在为止,政府规则和统治网际服务安全的 industrywide 政策的那些类型尚未存在。 因为网际服务英特网的野性西民族精神的年龄受到的影响,而且供给者通常已经是不愿意花费额外的钱和资源为他们的全部使用者保护数据的中央管,所以部份地,那是。 除此之外,许多网际服务认为,如果他们成为安全警官或超过东西交通运送者,他们将会在安全裂口情况下合法地是有义务的。 他们也关心检查制度议题和阻断合法的看起来像罐头火腿肉一样的电子邮件。

这些关心多有效? 像公用程序 ( 和对较少的范围,航空公司) 是现在,网际服务安全应该多被管理吗? industrywide 警察统治安全是甚至能实行吗吗? 这些是在问题之中陪审员考虑当做他们在 Gartner 在一次判决之上仔细考虑嘲笑试验。 奋斗保护他们自己的网络信息长一定在那些考虑这些问题,而且找寻答案的人之中站。 毕竟, 在赌注的进入  21 世纪之内为商业,沟通和生意连接性是如一种媒体的英特网的生存能力和超过。

" 安全是某事,每个人是有责任的对- 每个人包括网际服务", 麦可 Vatis 说, 一位代理人在 Steptoe&詹森, 在纽约的一个法律公司。 " 那里必须是一个较好的方法接近这超过我们如何正在今天做它".

野性的野性西方
许多的网际服务业的紊乱生长能被追踪到电传视讯行为 1996,在 62 年内的电传视讯法律的首先主要彻底检查。 法律的目标是产生任何的单一沟通公司可以在任何的市场中竞争的自由市场经济。 因为配备允诺提供英特网服务,依照乔纳森 Zittrain ,英特网的哈佛法学院的 Berkman 中心的共同创办人和社会, 法律和后来的其他 FCC 判决打开了方式。 所有的需要变成一个网际服务是一些现金,一些伺候器, 带宽主办不动产和行销计划引进客户。 大卫 McClure ,总统和美国英特网业协会的运行长, 今天估计网际服务的数字是超过 400 。

当网际服务慌张成长,有非常小的努力标准化在任何的水平上的安全。唯一的真正尝试进来 2003,当国会通过了那控制非请求 Pornography 的攻击而且销售 (能-罐头火腿肉) 行为的时候, 这为送商业的电子邮件建立了需求,为 spammers 和在罐头火腿肉中被广告, 而且给予了消费者权利要求 spammers 停止而且停止的公司拼出处罚。

法律已经到现在为止是一点也不成功的。 向任何的信息长询问什么生计她的在晚上向上而且一般的答案是安全。 自从 2003 以后,安全威胁的数字已经猛涨,藉由作为病毒,罐头火腿肉, phishing 骗局和暗中侦察软体的典型嫌疑犯。 在区段, DDoS 攻击上的新小孩,甚至多弄复杂物质。 在这一个情节中, hackers 使用电脑病虫接管在企业的全球网络上的易受伤害的计算机。 然后他们经过英特网接替者闲谈 (IRC) 被称为 botnet 的伺候器一起系计算机。 统一当做一, 恶棍 ( 或 ??尸,如同他们有时被叫做一样) 把目标放在一个特别的企业网络伺候器, 而且同时地以数据困扰它请求,直到负担把它带来下来。 这些网络对 80% 的所有服务罐头火腿肉的否认负责 50%,依照各种不同的估计。

甚至在花费在安全上的数百万的信息长之中,避免这些威胁的行动引起紧张。 你如何知道你的防火墙被装备最新闯入预防签字? 你如何停止其他的威胁 , 像是病毒和罐头火腿肉? 重要的大部分,你如何保护你自己免于暗中侦察软体传染易受伤害的端点,而且将他们变成 ??尸计算机开始 DDoS 在指令之后攻击的计画? 当信息长认为他们已经在控制之下得到每件事物的时候, hackers 比他们更聪明而且设计新的方法妥协处理网络的安全。

" 我们不变地被炮击 ", 德威特 Latimer 说, 副信息长在 Notre 夫人大学,在固有开着学院的网络挑战在边缘上不变地有他的地方。 "我找我自己愿,网际服务会帮助我们外面的小一点点, 如果为没有其他的理由超过除去我们烦恼的安全问题的一个分数有关以逐日的方式 ".

Latimer 增加他承担不在一个私人的网络上的任何事是不安全的。 但是什么如果在交通曾经达成网络门之前 , 一些议题被决定?既然所有的外部交通一定,在一些点,在英特网之上被传送,许多信息长说没有较好的方法保护它超过藉由固定管他们自己。 因为网际服务为所有的交通视为导管进入而且从一个网络,信息长说,这些供给者应该为病毒扫描签署者计算机之内, 监听交通对于活跃的劈攻击, 而且关闭可疑的网络使用者立刻为其他人保护连接的安全和神圣。

网际服务为什么是这么不干涉的
在旧金山中有含铁研究的 Richi 詹宁斯 , 一位分析家, 说,许多网际服务洗他们的这些议题的手,因为如此的安全措施既不是有成本效益的也不是有益于对收入世代。 因为网际服务是成功的,他们需要体积,而且资源在过滤 malware 上花费,否则扫描签署者计算机最后影响底线,詹宁斯说。

一个这一种哲学的完美例子是网际服务帮忙书桌。 用一个网际服务申请罐头火腿肉诉苦,而且詹宁斯注意它可能是在你接受一个回应每天之前,如果你全然接受一。 在大部份的情形下,他说,回应被自动化。当然,网际服务可能诉苦之远申请而且在稍后追求他们, 但是詹宁斯说尽管最近宣传的诉讼在哪一网际服务控告违犯的 spammers 罐子- 罐头火腿肉的行为和较旧的州法律,大多数的违反在雷达之下飞,甚至在他们被报告之后。

" 不愿花费资源试而且停止所有的这些威胁, 大多数的网际服务正在轮流相反的方式而且什么也不做",詹宁斯说。 " 资讯科技仅仅不优先".

为反对肋骨县,加州的凯文虚衿,副信息长和 CISO。,最近直接地经历了这。 在县网络上的一个被尝试的 DDoS 攻击之后,虚衿为事件问了他的网际服务报告圆木。 虽然许多网际服务保存这些圆木, 虚衿没有。 因此他识别并且固定 hackers 已经用开始攻击的洞是非常困难的。 (最后他确实补缀它) 因为他说,所以虚衿拒绝命名网际服务他通常快乐的由于它, 但是承认整个的经验进入了解之内震动了他,安全是不如许多优先对于网际服务当他已经被导致相信。

律师怀疑是否一个理由网际服务害羞远离安全是一个合法的。 因为那可以想得到地为疏忽或对隐私诉讼的侵犯使他们处于危险中,所以依照班杰民建造者,一位参与假的试验,而且专攻英特网法律的达拉斯代理人,网际服务不想要保证安全。 建造者声称,在小包留下桌面之后,扫描签署者计算机可以甚至违犯隐私法律。 同时, 什么发生如果一个网际服务引导一个扫描和区段 100种威胁但是过错一? Zittrain 说,如果网际服务开始轮流的责任超过仅仅传达交通,他们可能使他们自己合法有义务。没有诉讼到现在为止为这种疏忽被申请,但是 Zittrain 说,博学地允许一部 ??尸计算机留在它的然后大肆破坏的网络上的一个网际服务可以找它本身被控告。 然而,他怀疑,除非他们已经答应完全地保护他们的客户,否则网际服务能被维持合法有责任。 " 那精确地他们为什么不是有希望的完全保护 ",Zittrain 说。

扫描不是唯一的合法沼地。即使网际服务可以扫描所有的收入电子邮件, 资讯科技几乎不可能让他们举例来说区别一部计算机被用于 DDoS 攻击和合法的英特网交通 , 像是 Weatherbug,因为地方的天气更新,这自动地每五分钟检查国家气象局伺候器。 而且正如网际服务能为阻断进入热的水之内拿他们自己来自一个网络的合法电子邮件,Zittrain 说,当他们是过度热心的在监听离开一个网络的合法电子邮件中的时候,他们也能引起麻烦。

" 如果一个客户正在把一天送出给 25个信息并且突然摧残 500, 那是一个红灯,也许他们适当地有一个罐头火腿肉 ??尸 ", 君 Blumenthal 说,在联邦贸易委员会的英特网实验室协调者。 " 当然它也可能是,客户刚刚才变得 [父母- 老师的协会] 总统而且正在使用他的工作计算机送出一些个人的电子邮件。 你仅仅从不知道。"

??落道路,也许最大的安全挑战可以来自密码技术的增加使用。举例来说,街景,在明年被期望初次登场的新微软操作系统人,使横过英特网的越过原野的密码技术成流线型。 结果,网际服务和安全厂商一样可能已经困扰决定哪一电子邮件小包是合法的和是怀恶意的, 可能地给 hackers 未缓和的机会各处大肆破坏。

网际服务说,资讯科技是不好像他们不关心安全。 但是因为他们在自由市场经济方面操作, 提供安全的决定是一个每个供给者个别地作出。 在线的美国 , Comcast , EarthLink 和 SBC-签署者的数字四个最大的网际服务,依照来自 JupiterResearch 的一项 2005 年六月市场报告- 以标准电子邮件过滤的形式全部提供一些根本的安全给使用者服务和 antispyware 保护。 EarthLink , SBC 和一些其他的网际服务也尝试避免病毒而且蠕行经过港口 25 阻断交通,作为简单的邮件移动记录 , 或 SMTP ,传输的伺候器港口的爆发。 ( 为更多在这如何工作之上, 阅读 " 防卫的第一条线 ".) 许多其他的网际服务在额外的费用提供另外的安全给特定的企业客户。 然后有那些不以在全部的安全烦扰的网际服务。

网际服务主管说被标准化安全会被花费的达成方式的更多-禁止的-而且它不可能是他们的生意客户所无论如何想要的。" 当你正在处理安全的时候, 那里在赌注是只是太多让我们提供一一-大小-适宜-为每个人工作的所有解决", 斯坦理发师说, 工程行动的副总裁对于 Verio,一个网际服务和一个 NTT 沟通的子公司。" 对一家公司是重要的事情不可能对另外一是重要的,而且我们需要能依比例决定的特征".

你不需要是一个数学家见到这一个凑合物报导使每个人处于危险中。藉由一点点和从一个网际服务的网络到另外一旅行的位元组, 谁有说一种被停止一网际服务过滤器的安全威胁将不逃脱不不充分地过滤或做它的另外一个网络? Gregg Mastoras, 资深的安全分析家对于和网络安全解决供给者 Sophos 的美国北部, 说一经一种威胁拿过去的一个网际服务,它已经本质上过去了他们所有。 Mastoras 增加,因为关于英特网的资讯没知道边缘, 每个人是置于险境。 如果安全网际服务现在提供是真的和他们一样说它是,这不是一个问题。 然而一仅仅需要今天看新闻知道公司正在得到重击被所有行为不正密码的礼貌。 问题,Mastoras 说,是无存在标准化安全横过网际服务业, 在工业易受影响者中制造每个人到最低的通常分母。

该如何在好畜栏中保护你自己
网际服务可能无法以这一个自由市场逃离方式为长的,如果只有因为来自政府的压力 , 工业和消费者团体正在增加。 这五月,联邦贸易委员会说了它会很快要求网际服务确定他们的客户计算机没有被 spammers 用计划劫持产生 botnets 。 虽然网际服务不是遵守所必要者,但是联邦贸易委员会建议,如果他们被发现是 ??尸,服务供给者应该识别在他们的正在送出大量的电子邮件而且检疫他们的网络上的计算机。 来自联邦贸易委员会的最后推荐: 英特网供给者应该穿越定路线所有的客户电子邮件他们自己的伺候器。 ( 当做反对到经过他们自己的伺候器允许个别的使用者定路线电子邮件)

网际服务主管是乐观的工业能管理它本身。 大卫 Jevans ,反 Phishing 工作小组主席,说若干的网际服务已经已经一起联合讨论安全最好练习。 如果工业靠它自己不能改善安全,总是有经过州或联邦的立法管理它的可能性, 但是某事网际服务业的大部分坚固反对。霍华德 Schmidt ,总统和 R& H 安全的运行长商议和一位前官员由于国土安全局,同意立法不是答案, 说大多数的网际服务会只是增加月刊和年费向前对使用者以形式通过服从的费用。

对于 Schmidt,有另外的一个方法。 他建议政府藉由使用它自己的购买力量只是促进变化。 如果,举例来说,政府机关提供了网际服务 10% 额外费用提供可靠的安全横过董事会的服务,Schmidt 相信代理可以拿网际服务遵守以交换额外的现金。这一个变化,依次 ,可以有一样为生意客户和信息长改善情形的滴- 向下的效果。

"藉由身为一个资讯科技服务的大买方的政府,他们有能力说,‘在这里是我所愿意支付的费用,' 而且实际上支付它的费用",Schmidt 说。 " 建造控制在如政府计画的部份给你做到的旁利益为私人的公司发生".

在此际,桑河学会,一个私人的安全教育组织, 在途中正在计划评估网际服务他们这月处理安全而且释放一张网际服务安全报告卡片。 爱伦罩上, 研究的指导者对于桑河, 说这一张卡片将会概略说明步骤信息长能轮流寻求来自他们的网际服务的较高程度的安全。 (对于在这上的更多,见到 " 网际服务要素 " ,这页.) 在附加,詹宁斯,含铁研究分析家, 说信息长应该结合任何的基本保护他们的网际服务提议和一个为被多分层堆积的合并二或三个防毒引擎 (在周长和在桌面机器上) ,一个防火墙,闯入预防软件和任何其他的功能以明确地适合组织的需要方式组成硬件和软件的根据客户需要而修改的安全系统内各部分。

因为来自网际服务的较好安全经过他们的服务级的协议 , 或 SLAs ,一个区域在哪一罩上发言权信息长能主张。 传统地, 这些表现和网际服务的契约已经松弛地复盖议题 , 像是正常运行时间和维护或者支援。然而, 罩上建议信息长应该至少考虑尝试拿他们的网际服务同意合并安全韵律学 , 像是病毒扫描, DDoS 监听和附带的报告,也。

SLA 子句,然而, 万能药不是。鲍伯 Paarlberg,在 Royster-克拉克,一家 agri- 生意的公司信息长, 说,放安全进 SLA 之内将会什么也不做但是平息信息长进满足之内- 不完全地产生安心的网络州。 " 我们的 SLA 是我们不签署长期的协议 ", Paarlberg 警句。 "如果你这月为我们做一个好工作,你在下个月赚得来自我们的生意。 那是它。"

最后, Paarlberg 奋斗,拿网际服务抓住安全的最好方法是强迫他们烘焙-在法律的另外安全中。 仅仅在航空公司业中发生的东西看。 数年以前,为安全威胁扫描乘客是个别飞机场的职责。 结果,当然,永远地改变了我们的国家: 恐怖份子利用系统的弱点, 而且成功地编管弦乐曲了 2001 年九月 11 日的攻击。 在结果中,联邦政府产生了运输安全行政为固定全国性的航空旅游设定政策。 今天,是否你正在从巴尔的摩, Md 旅行。, 或布告, Mont。, 你和其他人在你的飞行上被审查相同的方法, 而且大体而言,系统是很多更安全地比较它以前。

"在天结束的时候, 网际服务需要对于这些违反的更多是有责任的被维持",Paarlberg 说。 " 如果他们将要继续带来对我们的门阶威胁,某事一定被做 " 。

TOP

发新话题