Extreme Exploits: Advanced Defenses Against Hardcore Hacks (Hacking Exposed)

In this section, we provide a list of common questions you should ask a prospective ISP to determine if it is following "best practices" with regard to securing critical elements of its network infrastructure and providing you with secure, reliable services. The list should provide you with a good starting point to develop your own criteria for evaluating an ISP and its services, or for evaluating your own Internet security practices. These questions cover a broad range of topics from IP routing, to DNS and mail services, to customer support. Some of these questions apply to issues we will cover in later chapters, so you may wish to read on, and come back to these later.

• Does the ISP have a 24/7 network operations center (NOC)?

• Does the ISP utilize RFC 2142 role-based e-mail aliases for common organizational contact aliases such as abuse, security, noc, postmaster , and hostmaster ?

• Does the ISP properly register IP prefixes and/or ASNs with role-based contact information (per RFC 2142)?

• Does the ISP restrict both DNS zone transfers and recursive queries to customers/ employees only?

• Does the ISP have redundant, geographically diverse DNS servers?

• Does the ISP restrict mail relaying to customers/employees on MX hosts ?

• Does the ISP utilize anti-spam measures on MX hosts?

• Does the ISP or organization properly filter routing advertisements from external peers:

• Using RADB or other routing policy databases?

• Using proper access controls and filtering policies on border routers?

• Does the ISP or organization properly filter "directed traffic" from Internet sources? (inbound from the ISP/Internet)?

• Does the ISP or organization properly restrict remote login to the border router from the Internet (or require access through out-of- band mechanism)?

• Does the ISP or organization participate in intelligence sharing with security researchers, anti-spammers, and other providers?

• Does the ISP or organization work with law enforcement to assist in prosecutions of Internet-based crime (e.g., FBI's Operation Slam Spam)?

• Does the ISP or organization file lawsuits against criminal abusers?

• Does the ISP or organization act aggressively to get known abusers off networks and keep them from getting on in the first place (e.g., Spamhaus Blackhole List, or SBL)?

• Does the ISP or organization provide 24/7 incident response capabilities?

• Does the ISP implement ad-hoc packet/route filtering in the event of an attack against the organization (known as "upstream filtering")?

Again, this list is not exhaustive, but for organizations it provides a good starting point to evaluate an ISP, or to evaluate its own security policies. If an organization is evaluating an ISP and the majority of the answers to these questions is not "yes," find another ISP!