Broadband ISPs Shouldn't Knock Down Firewalls

Citing finicky configuration problems, the major high-speed providers discourage their use -- a backward and dangerous policy

By Alex Salkever

Get rid of my firewall? Only when you pry my cold dead fingers from the keyboard. That has been my attitude toward firewalls on home PCs running broadband connections ever since I started writing about security and got truly paranoid about evil hackers stealing all sorts of personal information from my desktop -- or worse. Most security experts, likewise, urge home PC users to run an inexpensive personal firewall.

So imagine my dismay when an otherwise helpful technical-support person from TimeWarner's RoadRunner cable-broadband unit told me she couldn't assist me until I removed every single trace of the ZoneAlarm firewall from my machine. That's not exactly an obscure piece of software. Company CEO Gregor Freund claims he has 15 million customers. The company, Zone Labs, has won both technology awards from the geek media and kudos from the bottom-line set for offering a freeware version for download to those who want the most basic security.

Still, that didn't help me a lick when I was trying to get connected on Nov. 14. The rep told me to call back when I had uninstalled the software completely. Worse, she told me RoadRunner simply doesn't support firewalls. "That doesn't mean we say you shouldn't use them. But we can't help you if you have problems with a firewall," she said. That just doesn't seem right.


  Despite a wide consensus in the security community that firewalls are a must for always-on connections, the vast majority of broadband Internet service providers (ISPs) that offer cable and digital subscriber line (DSL) have yet to acknowledge this reality to their customers. "There is a mindset problem," says Zone Labs' Freund. "We have been talking to cable companies for the past two years. Some of them are easy to work with and recommend our product or other firewalls. Others say, 'Listen, you get in the way of our diagnostic runs'."

The problem is that if a cable company tells the average customer it doesn't support firewalls, in all likelihood that customer will shut down his security software at the first hint of trouble -- leaving himself completely vulnerable to cyber-attack. Perhaps more serious, a customer's unprotected connection could do serious damage to a the ISP if it's used to launch a bandwidth-hogging denial of service (DOS) attack. These relatively common attacks shut off access to a targeted Web site by pelting it with a steady stream of bogus requests, overloading its servers.

Ultimately, the more DOS attacks that occur, the worse the Net itself performs due to more bogus data traffic. The easiest way to nip this problem? Provide better support and information to customers who want to protect themselves, making the Internet more secure.


  The broadband ISPs say supporting firewalls is no piece of cake, suggesting customers should be responsible for anything they choose to put on their computer. No doubt, firewalls are finicky creatures and figuring out how to nail down the proper configuration over the phone is no easy task.

"It would take a lot of additional training and would need agents with a higher aptitude to be able to troubleshoot firewall software. A lot of times, the manufacturer will know that information better than we would," says Mike Daly, a customer-care communications manager at AT&T Broadband.

Further, the cable companies and other broadband providers say they're making strides toward educating customers about the real dangers of cyberspace. Mostly, that info comes from installation personnel and customer-support reps. Many broadband providers tell customers they don't discourage firewall use. But only a few big ISPs, such as Earthlink, actually encourage customers to buy a firewall. (Earthlink points new broadband subscribers to both ZoneAlarm and Norton Internet Security.)


  Security experts have long acknowledged that homes and small businesses with always-on connections presented a major security hazard. Malicious hackers target specific ranges of Internet protocol (IP) addresses -- a unique number that's assigned to each device connected to the Net. Just as a telemarketer will target posh Westchester County, N.Y., or Beverly Hills, Calif., for an upscale phone pitch, hackers target clusters of IP addresses that fall within the purview of broadband ISPs. They spray these addresses with automated scanners that can detect an open connection.

To shield their users, some broadband providers regularly change the IP address assigned to a customer -- a system called dynamic IP addresses. But given the speed and ease with which hackers can install "Trojan horse" software used to take over a computer, switching IP addresses every few hours or days provides little protection. True, hackers could also take over computers connected via dial-up modems. But dial-up users present a less-interesting target because of their pokey data-transfer rates and the inherent instability of such connections compared with their broadband cousins.

Today, even novice cyber-crooks can easily access specialized software that allows them to cobble together networks of vulnerable machines to create the equivalent of a data firehose that can quickly shut down and damage Web sites. Witness the big DOS attacks in the past year against Yahoo!, Microsoft, the New York Times, and other big corporations that were knocked off the Web for hours and in some cases, days.


  What percentage of the offending traffic in these attacks came from compromised home and small-business PCs remains unclear. But security experts estimate it could range from 10% to 50%. Asta Networks, a company that sells hardware and software to prevent DOS incidents, closely tracks these events on the Web.

According to Asta Chief Scientist Stefan Savage, between 10% and 20% of the compromised "zombie" computers are home PCs. Most likely, those are PCs on broadband networks. "The safe bet is they are pretty ubiquitous," says Phil London, CEO of anti-DOS equipment vendor Mazu Networks. "But it's not something they want to talk about."

A quick review of the Web sites for big cable and DSL broadband providers shows many fail to provide customers with much information on cyber-security. On the sites of @home and AT&T Broadband, two of the biggest cable-broadband providers, firewalls aren't prominently mentioned as an option. Surf the Web pages describing system requirements and other basics required to set up a consumer DSL system at, and you won't find any clear discussion of security provisions. In fact, a frightening number of cable companies and DSL providers tell their users not to run a firewall.


  The best solution would be for the broadband providers to acknowledge they have a problem and partner with the firewall companies. Perhaps they could arrange for a preconfigured firewall on the software CD most ISPs ship to customers as part of the installation process. Better yet, they could start building firewalls into broadband modems, a logical step that would add less than $50 to equipment costs.

These approaches would create a new market for firewall companies and help train the broadband ISPs tech-support personal to troubleshoot firewall problems. And the ISPs could charge more for firewall support -- with complete justification.

In fact, both Symantec, the maker of the popular Norton personal firewall, and Zone Labs are in talks with ISPs about providing their security systems as part of standard broadband offerings. "Both parties would benefit from this arrangement. The software maker would get access to a powerful sales channel, and the broadband provider can take the high ground as security-minded," says William Malik, a security expert and vice-president at researcher Gartner.

Still, broadband companies are giving no indication when they'll accommodate firewalls, if ever. And few inside the industry think it's a burning issue right now. That's a shame. Firewalls are a necessary part of running broadband Net connections. So ISPs should create a single point of contact for both standard customer-support and for firewall issues. Anything less would leave customers swinging in the breeze -- and the entire Internet open to bigger problems down the road.

Salkever covers computer security issues twice a month in his Security Net column, only on BW Online

Edited by Beth Belton

    Before it's here, it's on the Bloomberg Terminal.