ISP Security: Do We Expect Too Much?

With so many people now connecting to business networks from home routers, ISP security takes on heightened importance. But is the security provided by ISPs good enough to be the only security SMBs and remote employees need?

Billions of people are working from home these days, whether due to the pandemic or because this has been their set-up all along. All depend on their home ISPs to do what they’re supposed to: keep them connected to customers, suppliers, and colleagues around the clock.

But ISPs are not known for their security protections. Yes, many now say they’re increasing their defenses against attacks, but can small to midsize businesses (SMBs) and remote workers bet their livelihoods on it?

“In a word, no,” says Dark Cubed CEO Vince Crisler, once a chief information security officer at the White House. “We are seeing increased focus on security in advertising to small businesses and residential users from ISPs, but so far these are primarily minimalistic capabilities driven by marketing purposes instead of security.”

But there’s a reason why ISP security capabilities tend to remain minimal or sketchy.

“The typical Internet service provider is primarily focused on delivering reliable, predictable bandwidth to their customers,” Crisler says. “They value connectivity and reliability above everything else. As such, if they need to make a trade-off decision between security and uptime, they will focus on uptime.”

To be fair, demand for speed and reliable connections was crushing many home ISPs in the early days of the pandemic. For some, it remains a serious strain.

“In the early weeks of the pandemic, when people started using their residential connections at once, ISPs were faced with major outages as bandwidth oversubscription and increased botnet traffic created serious bottlenecks for people working at home,” says Bogdan Botezatu, director of threat research and reporting at Bitdefender.

ISPs’ often aging and inadequately protected home hardware presents many security vulnerabilities as well.

“Many home users rent network hardware from their ISP. These devices are exposed directly to the Internet but often lack basic security controls. For example, they rarely if ever receive updates and often leave services like Telnet open,” says Art Sturdevant, VP of technical operations at Internet device search engine Censys. “And on devices that can be configured using a Web page, we often see self-signed certificates, a lack of TLS for login pages, and default credentials in use. These devices become targets for botnets and can become entry points for attackers to pivot into home networks.”

An ISP’s Rebuttal
Hold up, say ISPs, which point out that security issues do not rest solely on them. They’re right. A lot depends on user behaviors, too. But even so, user expectations of ISP security tend to be high, which is driving ISPs to up their security game despite the challenges.

“Security is a multilevel issue,” says Shrihari Pandit, president and CEO of Stealth Communications, an ISP based in New York City and focused on providing connectivity to businesses.

“Perhaps the best way to break this down is by the ISO [layers of communication],” says Pandit, offering the following explanations of typical ISP challenges and fixes:

Layer 1/Physical Layer: “Traffic is unencrypted between the ISP and customer on most ISPs. This is particularly an issue when providers are delivering service via wireless and fiber PON [passive optical network] technologies. These technologies ‘broadcast” traffic to all subscribers. Bad actors can ‘snoop’ the airways or physically tap into the fiber PON network to pick up traffic of other subscribers.”

Layer 2/Data link layer (Ethernet): “Like Layer 1, Layer 2 represents a communication path between the ISP and customer; traffic is typically unencrypted and prone to snooping. There have been advancements in this area to better improve security by using technologies such as MACsec. It can secure all traffic on an Ethernet network, including DHCP and ARP, as well as traffic from higher layer protocols, such as HTTP, SMTP, etc. The advantages of utilizing MACsec between the ISP and customer is all traffic is automatically encrypted between the provider and customer. Encryption can be done at line-rate, low-latency compared to encrypting at Layer 3 or higher.”

Layer 3/Transport Layer (Internet Protocol): “At the Internet Protocol layer, users and organizations may deploy IPsec to provide end-to-end encryption between two endpoints across the Internet, making it difficult for any potential bad actors on the ISP access network to decode traffic.”

Marked security issues lurk in conflicts of interest as well – just maybe not the conflicts one would expect.

“The primary challenge with expecting ISPs to provide security is the idea that privacy and security are in conflict within their business model,” Crisler says. “ISP customers expect to be able to use their Internet connections for whatever purpose they want without monitoring by their ISP. However, to provide security functionality, ISPs must pierce the veil of privacy.”  

Virtual private networks (VPNs) may be the better protector for both security and privacy. Or maybe not.

(Why not? Continue reading on second page.)

A prolific writer and analyst, Pam Baker’s published work appears in many leading publications. She’s also the author of several books, the most recent of which is “Data Divination: Big Data Strategies.” Baker is also a popular speaker at technology conferences and a member … View Full Bio


1 of 2


Recommended Reading:

More Insights

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips