Ron Baklarz
Ron Baklarz

Think of the security of your network like that of your city tap water and home drinking supply. The water supply originates from any number of unsafe-for-consumption sources, such as rivers and streams, much like the network traffic that flows throughout the unsafe ecosystem of the internet. The unsafe water supply is collected at a regional purification and distribution facility and treated for impurities long before it reaches your home. At this point, the tap water is safe for consumption. But, even though the water supply meets governmental standards for purity and consumption, we often take additional measures to further filter our water with home water conditioners, spigot filters, water jug filters and more. Some of us bypass our home water supplies altogether by drinking bottled water.

Doesn't this appear to be a lot like the protective measures we take when we tap into the internet? We filter incoming internet traffic in any number of ways. At the corporate level there are firewalls, email/spam filters, network-based and host-based intrusion detection/prevention systems, anti-virus protections, personal firewalls, and more. Hopefully, at home we use at minimum anti-virus protections and personal firewalls on our systems. I would compare the regional water purification and distribution facility to that of the internet ISP. But unlike the model of our water supply, where purification takes place at the regional purification and distribution facility, there is a lack of sufficient filtration and protections of internet traffic as implemented by the ISPs.

There is a lot of unnecessary and potentially dangerous internet traffic that could be filtered at the ISP level before it ever reaches our networks. For example, I recently asked one of the major (huge) ISPs if it filtered out “bogons” and “fullbogons” from our incoming internet traffic. While the term “bogon” certainly sounds sinister, the bogon list is actually the list of Internet Assigned Numbers Authority (IANA)'s unassigned/reserved IP address space. And “fullbogon” lists are assigned, but not allocated, IP addresses within an ISP. By their very nature, internet traffic originating from these IP addresses should not be traversing the internet – let alone entering into your corporate and home networks. The ISP I questioned responded that it did not currently block bogons, but was considering doing so. It should. a study by Team Cymru found that approximately 60 percent of distributed denial of service (DDoS) network attack packets came from bogon address space.

There are many other examples of possible ISP filtration and protection strategies that could be implemented, such as “safelisting” filters to block access to known malicious websites and IP addresses and IP address ranges. Now, not all DDoS attacks use bogon address space, and filtration varies from ISP to ISP. But this is one glaring example where defense-in-depth comes into play. We need all the defensive weapons in our arsenal that we can muster. It would make sense to apply as many protections “up stream” as possible. If the government is truly serious about cybersecurity, consideration should be given to developing and implementing standards governing ISP-level protections in a manner similar to those that apply to our water supplies.