Secure My ISP Network—Please!

What are the choices for Internet Service Providers where it comes to security services. Security Center Editor Larry Seltzer spoke to several companies about the possibilities. While the many choices may make the market a little unclear, he thinks securi

Ive argued for several years that ISPs should be doing more to create secure environments for their customers. So I recently approached some major security companies and asked them to imagine that Im a medium-size ISP interested in providing security services for my users, such as antivirus, spam filtering, perhaps even some intrusion detection or firewalling services. What would they have to offer me?

The most interesting fact I uncovered through this research is that there are a lot more ISPs than I thought providing at least the basics, by which I mean antivirus scanning of e-mail. Quite a few broadband systems offer MSN, which has e-mail virus scanning and decent spam filtering. Ive run into a number of other, smaller ISPs such as my own that do e-mail virus scanning. My own ISP uses Authentiums Command Software products.

At the same time, the other big national ISPs seem more reluctant to add these services, perhaps because of cost considerations. Earthlink has the excellent Brightmail-based spam filtering. AOL also doesnt offer it, but their AOL for Broadband service does include a personal firewall and enhanced spam protection.

There are two basic approaches an ISP could take, much as there are two approaches an enterprise could take: implement the security products as part of their own infrastructure, or outsource them.

With this in mind, theres no surprise that Trend Micro provides mostly the same enterprise network security tools to ISPs that it offers to enterprises to protect their networks. The core of their offering is InterScan Messaging Security Suite (IMSS), perhaps the top gateway-level security product.

Trend Micro also has a separate antispam filtering product called Spam Prevention Service (SPS) that works with IMSS. I recently looked at both for a comparative first-look review that will appear soon in PC Magazine.

Trend Micros software gives a lot of flexibility to the administrator, but it doesnt inherently give any control to the user. For example, the standard implementation for a standard POP3 account by most ISPs would block viruses and worms, and mark spam with a subject line tag (such as [SPAM:]) or a custom header. If the ISP offers customers a Web-based mail interface, that could become the basis for a spam quarantine with the mail feed based on processing in IMSS.

A good example of the service approach is Postini, which filters both spam and viruses. Postinis original business model was to work with ISPs. They have since moved to focus on enterprise contracts, but said about 50 percent of their hosted accounts are still ISP accounts. Postini said it is the fourth largest processor of e-mail in the world (behind AOL, MSN/Hotmail and Yahoo! Mail).

The advantage of outsourcing this protection are numerous: Postini does all the work and performs all the processing. Instead of a capital expenditure, the ISP gets a expense that they can pass on to the user or even mark up.

Another benefit an ISP receives with Postinis service approach is a user interface that lets customers manage their spam. Users log into the Postini site where they can access a quarantine area containing mail marked as spam.

ISP administrators can set how much control users will have over their own spam filtering, which can range from none to quite a bit. So, depending on what features the administrator allows, users can recover messages, modify the settings for how aggressive the filtering should be, and manage personal blacklists and whitelists.

In addition, Trend Micros makes a distinction in their products that may translate to a significant cost difference for ISPs. The company offers antivirus scanning at the gateway or at the mail server. The distinction is an important one.

Mail server protection, which in my experience is what most ISPs actually offer, scans mail going through the mail servers. Scanning at the gateway would protect all SMTP traffic on the network, including private SMTP servers run by users and rogue SMTP servers built in to worms like Klez and SoBig. While its not a critical issue, complete SMTP protection clearly provides a better level of service.

Trend says mail server protection costs roughly 10 to 15 percent less than its gateway protection, which runs about $2.20 per year for each user.

Since Postini only protects mail intended for the ISPs mail servers, it has the same limitations as the mail server protection found in the Trend model. Postinis ISP service charges start at $6 per year for each user and the price goes down as the number of users increases.

Even as the higher-end ISPs are finally coming up to speed on security services, it seems like all the action in the ISP market can be found in the bargain segment. Here services like Juno are growing by charging $9.95/month for a basic, no-frills service. Even AOL is getting into the act with their own $9.95 service, You can bet that AOL doesnt intend to lose money on this low-end service by throwing in a bunch of expensive security protections. To the extent that AOL is willing to enhance their security protections, they will do so for their more expensive service.

ISPs are aware of what is necessary to make their networks far more secure. However, its clear that it will never be economically feasible (or even desirable from a support and ease-of-use standpoint) for ISPs to build the kind of secure network that a nervous corporation might want; one that includes certificates and VPNs, for example.

However, the security technologies that can do the vast majority of the job are well-understood and fairly easy to work with. They just cost money, and theres the main problem. If users dont appreciate the problem well enough to pay a few extra bucks a month, it wont pay for ISPs to make the network secure. And a large part of the market will remain lawless.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer