Net Neutrality and Information Security
With the recent debate on network neutrality raging, I thought it appropriate to mention some of what I think the information security implications of net neutrality are (if adopted). This is probably US-centric, but it shows how a policy if not fully thought through can negatively impact the ability of an organization to secure their environment.
Briefly, network neutrality is designed to prevent ISPs from favoring certain websites over others (faster load times) or certain applications over others. In short, it's designed for consumer PC environments only (the exact environments that are pretty much the biggest nightmare on the internet).
The supporters of network neutrality would allow for filtering of illegal traffic, but the problem comes in with grey areas. For instance, network neutrality would not allow ISPs to filter P2P traffic as a class. P2P isn't inherently illegal (as much as the MPAA/RIAA would like to say otherwise) however it isn't generally used for honest purposes (with few exceptions). For instance, on my network, when I see bittorrent I know someone is generally doing something bad. Because DMCA makes ISPs responsible for P2P piracy of their users, some ISPs simply don't allow P2P. That would not be a viable option under a net neutrality regime.
If you don't like P2P because there is about a 1% chance that a given P2P use might be for legitimate software vendors too cheap to pay for bandwidth, the above is just as applicable for spam. Sure, some spam is illegal but the perenial complain is that the law has not kept up with the spam problem (i.e. a good amount is still strictly legal). With net neutrality if it's legal, it can't be filtered. Not only incoming spam but outgoing spam must be allowed unless it can be shown to be illegal (a judgement simply well out-of-scope for an ISP to be making).
Here's a more potent example. Many ISPs blocked inbound port 80 during the Code Red days. There is nothing illegal about having webservers, however ISPs (in my opinion, rightly) decided that the risk was not worth the benefit and blocked that application. This helped mitigate to some degree the spread of Code Red. This would no longer be an allowable option with net neutrality as they'd presumably have to wait UNTIL a machine is infected to do something about it, instead of protecting the machine to begin with. It should be intuitive that proactive security is better than reactive security (despite the fact that as an industry we keep insisting on being reactive).
The point is, there is a lot of "grey" in network traffic and gutting AUPs with network neutrality regulations would take away valuable tools to help stop bad traffic. It converts the game from least privilege to most privilege. If I start probing from my PC on a DSL line, my ISP (if they are paying attention) may outright block me unless I can prove legitimacy. With net neutrality, legitimacy is presumed until a crime can be proven. At that point damage is done. It puts us once again behind the hackers, forced to wait until either the FCC decides ISPs can move or there is a crime with a victim and damage.
Security policies (or laws) in general should not emasculate security officers into a wait-and-see position. Cost/benefit decisions should be allowed so that organizations can appropriately manage their own risk.
(Full disclosure: In addition to being in IT security, I'm a columnist. My next column comes out against net neutrality for political reasons. I mention this because I'm sure someone out there will think they are terribly clever for managing to use google, finding out I'm a columnist, and saying my politics are shaping my technical analysis here. My point is that these security considerations have not been analyzed and thought through and I know this because I interviewed the drivers of the net neutrality policy. Maybe net neutrality can be revamped to allow for appropriate information security considerations to come into play, that's the point of this post. I'd prefer to think about this stuff before policies are decided on than after, regardless of what I think about the policy in general.)
----
John Bambenek
bambenek /at/ gmail /dot/ com
Briefly, network neutrality is designed to prevent ISPs from favoring certain websites over others (faster load times) or certain applications over others. In short, it's designed for consumer PC environments only (the exact environments that are pretty much the biggest nightmare on the internet).
The supporters of network neutrality would allow for filtering of illegal traffic, but the problem comes in with grey areas. For instance, network neutrality would not allow ISPs to filter P2P traffic as a class. P2P isn't inherently illegal (as much as the MPAA/RIAA would like to say otherwise) however it isn't generally used for honest purposes (with few exceptions). For instance, on my network, when I see bittorrent I know someone is generally doing something bad. Because DMCA makes ISPs responsible for P2P piracy of their users, some ISPs simply don't allow P2P. That would not be a viable option under a net neutrality regime.
If you don't like P2P because there is about a 1% chance that a given P2P use might be for legitimate software vendors too cheap to pay for bandwidth, the above is just as applicable for spam. Sure, some spam is illegal but the perenial complain is that the law has not kept up with the spam problem (i.e. a good amount is still strictly legal). With net neutrality if it's legal, it can't be filtered. Not only incoming spam but outgoing spam must be allowed unless it can be shown to be illegal (a judgement simply well out-of-scope for an ISP to be making).
Here's a more potent example. Many ISPs blocked inbound port 80 during the Code Red days. There is nothing illegal about having webservers, however ISPs (in my opinion, rightly) decided that the risk was not worth the benefit and blocked that application. This helped mitigate to some degree the spread of Code Red. This would no longer be an allowable option with net neutrality as they'd presumably have to wait UNTIL a machine is infected to do something about it, instead of protecting the machine to begin with. It should be intuitive that proactive security is better than reactive security (despite the fact that as an industry we keep insisting on being reactive).
The point is, there is a lot of "grey" in network traffic and gutting AUPs with network neutrality regulations would take away valuable tools to help stop bad traffic. It converts the game from least privilege to most privilege. If I start probing from my PC on a DSL line, my ISP (if they are paying attention) may outright block me unless I can prove legitimacy. With net neutrality, legitimacy is presumed until a crime can be proven. At that point damage is done. It puts us once again behind the hackers, forced to wait until either the FCC decides ISPs can move or there is a crime with a victim and damage.
Security policies (or laws) in general should not emasculate security officers into a wait-and-see position. Cost/benefit decisions should be allowed so that organizations can appropriately manage their own risk.
(Full disclosure: In addition to being in IT security, I'm a columnist. My next column comes out against net neutrality for political reasons. I mention this because I'm sure someone out there will think they are terribly clever for managing to use google, finding out I'm a columnist, and saying my politics are shaping my technical analysis here. My point is that these security considerations have not been analyzed and thought through and I know this because I interviewed the drivers of the net neutrality policy. Maybe net neutrality can be revamped to allow for appropriate information security considerations to come into play, that's the point of this post. I'd prefer to think about this stuff before policies are decided on than after, regardless of what I think about the policy in general.)
----
John Bambenek
bambenek /at/ gmail /dot/ com
Keywords:
0 comment(s)
×
Diary Archives
Comments