HERE'S A THOUGHT: Why not get all the ISPs of the world to deny Internet access to known miscreants? Does that sound too Orwellian, or is it just common sense? We recently experienced what such a world would look like, and we don't have many flattering things to say about it.

Our experience began with what was seemingly a routine penetration test of a client organization's Internet presence. As is common with such testing, we worked with the client to inform their Internet Service Provider about the upcoming activities, supplying source IP addresses and a concise time line for our probes so as not to arouse inappropriate suspicion.

Often, we are contracted to attempt to bypass monitoring and intrusion-detection measures deployed by clients or their ISPs using network counterdetection techniques; but in this case, the client wanted to focus closely on its servers, and was not interested in expending further resources to evade our detection.

According to our oft-repeated mantra that the weakest point of any corporate Internet presence is the Web application and services layer, and because we were at first a bit wary of the ISP's monitoring capabilities, we focused our initial work on a handful of the client's primary Web servers. Within a few hours, and using nothing more than innocuous URL requests sent via Web browser, we had combined several techniques to gain unauthorized access to the contents of the entire Web server hard drive, revealing a trove of sensitive data, including a script that enumerated administrative users and their passwords.

After informing the client and continuing to analyze the Web site for further vulnerabilities during a period of several days, we decided to launch some noisier automated probes to make sure we hadn't missed other avenues of entering the site. These probes included scans of a select group of ports (in random order) over a Class C address range.

Soon thereafter, we began having connectivity problems with the client Web site. The client was again informed, and contacted its ISP, which informed them that our source IP addresses had been blocked from accessing the client network because of undisclosed malicious activity.

During the next few days, the client tried in vain to lift the block of our IP addresses. The ISP stated that corporate policy made it clear that any such bans would not be lifted -- ever. The client's protests that they were being denied services for which we had been contractually engaged were ignored.

Two things disturb us deeply about this incident. One is that within hours of dispatching our first e-mail to the ISP stating that we were to begin work, the client received a phone call from the ISP sales division inquiring as to the nature of the work and offering similar assessment services provided by the ISP. The blocking began shortly after the client informed the ISP that they had already contracted with our firm to perform the job.

Second, days later the client began having broad problems with site connectivity that mirrored exactly the type of problems we experienced when being blocked. The ISP denied culpability, and pointed the finger at our activities (which had been halted several days before) as the possible root of the problem.

Some take-home lessons

We are strong proponents of managed security-monitoring services that treat the customer as a partner in the monitoring effort, and donn't make automated blocking decisions without customer consent or input. The inflexible block we encountered seemed a more effective business impediment than a security measure, however.

One, it is obvious that the most effective attacks against business-critical, custom-built applications are unlikely to get caught by broad spectrum, signature-based detection routines such as those employed by this ISP. Two, the restrictive policies and unresponsiveness of this ISP makes it very difficult for its service to be audited for effectiveness by its own customers or third parties. And let's not forget the choke hold the ISP has over the customer's Internet connectivity and how it can potentially be used as a stick to beat out competing service firms and keep the customer locked in to a monopoly security provider.

All this being said, we can attest firsthand to the effectiveness of the block. Good Net citizenship could be enforced quite efficiently using this technique. However, the problem remains of where to draw the line between truly dangerous attack patterns and professional activities by responsible firms, or even casual Net surfing and the multitude of other activities flying over the wire.

Ultimately, our conservative tendencies make us side against such restrictive ISP practices. Taking choice out of the hands of customers is never a good thing, of course. But are we being unfair simply because our profession stands to bear the brunt of the baggage if such services became widespread? Let us know at security_watch@infoworld.com.

» posted by ITworld staff

InfoWorld

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine