[Infowarrior] - OpEd: Net Neutrality and Information Security

Richard Forno rforno at infowarrior.org
Tue Jul 11 09:01:42 EDT 2006 

Net Neutrality and Information Security, (Mon, Jul 10th)
http://isc.sans.org/diary.php?storyid=1467&rss

With the recent debate on network neutrality raging, I thought it
appropriate to mention some of what I think the information security
implications of net neutrality are (if adopted).  This is probably
US-centric, but it shows how a policy if not fully thought through can
negatively impact the ability of an organization to secure their
environment.

Briefly, network neutrality is designed to prevent ISPs from favoring
certain websites over others (faster load times) or certain applications
over others.  In short, it's designed for consumer PC environments only (the
exact environments that are pretty much the biggest nightmare on the
internet).

The supporters of network neutrality would allow for filtering of illegal
traffic, but the problem comes in with grey areas.  For instance, network
neutrality would not allow ISPs to filter P2P traffic as a class.  P2P isn't
inherently illegal (as much as the MPAA/RIAA would like to say otherwise)
however it isn't generally used for honest purposes (with few exceptions).
For instance, on my network, when I see bittorrent I know someone is
generally doing something bad.  Because DMCA makes ISPs responsible for P2P
piracy of their users, some ISPs simply don't allow P2P.  That would not be
a viable option under a net neutrality regime.

If you don't like P2P because there is about a 1% chance that a given P2P
use might be for legitimate software vendors too cheap to pay for bandwidth,
the above is just as applicable for spam.  Sure, some spam is illegal but
the perenial complain is that the law has not kept up with the spam problem
(i.e. a good amount is still strictly legal).  With net neutrality if it's
legal, it can't be filtered.  Not only incoming spam but outgoing spam must
be allowed unless it can be shown to be illegal (a judgement simply well
out-of-scope for an ISP to be making).

Here's a more potent example.  Many ISPs blocked inbound port 80 during the
Code Red days.  There is nothing illegal about having webservers, however
ISPs (in my opinion, rightly) decided that the risk was not worth the
benefit and blocked that application.  This helped mitigate to some degree
the spread of Code Red.  This would no longer be an allowable option with
net neutrality as they'd presumably have to wait UNTIL a machine is infected
to do something about it, instead of protecting the machine to begin with.
It should be intuitive that proactive security is better than reactive
security (despite the fact that as an industry we keep insisting on being
reactive).

The point is, there is a lot of "grey" in network traffic and gutting AUPs
with network neutrality regulations would take away valuable tools to help
stop bad traffic.  It converts the game from least privilege to most
privilege.  If I start probing from my PC on a DSL line, my ISP (if they are
paying attention) may outright block me unless I can prove legitimacy.  With
net neutrality, legitimacy is presumed until a crime can be proven.  At that
point damage is done.  It puts us once again behind the hackers, forced to
wait until either the FCC decides ISPs can move or there is a crime with a
victim and damage.

Security policies (or laws) in general should not emasculate security
officers into a wait-and-see position.  Cost/benefit decisions should be
allowed so that organizations can appropriately manage their own risk.

(Full disclosure: In addition to being in IT security, I'm a columnist.  My
next column comes out against net neutrality for political reasons.  I
mention this because I'm sure someone out there will think they are terribly
clever for managing to use google, finding out I'm a columnist, and saying
my politics are shaping my technical analysis here.  My point is that these
security considerations have not been analyzed and thought through and I
know this because I interviewed the drivers of the net neutrality policy.
Maybe net neutrality can be revamped to allow for appropriate information
security considerations to come into play, that's the point of this post.
I'd prefer to think about this stuff before policies are decided on than
after, regardless of what I think about the policy in general.)

----
John Bambenek
bambenek /at/ gmail /dot/ com

More information about the Infowarrior mailing list