Slashdot Mirror
Should ISPs Be The Little Man's Firewall?
Anonymous Coward writes "In a paper published today, the point is made that ISPs should filter some ports (e.g. 135) for good. I guess given what everyone sees hitting their various firewalls these days, this may make sense. But wasn't the Internet supposed to be 'open' at one point? Or are we to the point where Internet=Web (and maybe AIM). The author of the paper is operating DShield and I guess has some insight into this issue. He made the same points before on various mailing lists."
And not something you get by default and then have to opt-out of - something you get offered and must opt-into. I don't care if port X of all the clueless people's machines get abused, if I want to use port X, I'm going to.
...Also, I didn't know Buggalo could fly.
No
Putting the romance back into necromancer.
relies on me to find the latest virii/worms that are going to pound the bandwidth, get their port numbers, and setup ACL's accordingly. Not only do the customers like it, it gives us more time to patch our hundreds of machines, and decreases our incoming bandwidth.
Overall, I help stop another hundred thousand or so Win32 users from pounding the net to death. I don't see how anyone could see this as a bad thing. (welcome input)
Get paid to code OSS
I don't want them filtering anything for me thank you. I can take care of myself. Next thing they'll be stripping attachments off of email and blocking content. Let internet Darwinism take it's course, only the strong will survive,a nd when all these people get tired of the insecure crap that windows is, maybe, just maybe they'll vote with their dollars to not support MS anymore.
While I agree with the point I think that power users should be allowed to call up the ISP (maybe even at initial sign-up) and be allowed to request that the ports remain unblocked. Otherwise, the internet *will* become just the web and AIM for everyone if they like it or not.
I think filtering out certain ports at the ISP level can only lead to restriction. Port filtering should be done at the local firewall, thus allowing for obscure ports to be used for certain particular reasons.
Too bad most people believe Internet is just the WWW. As bad as this might be, it is not a question of wether it will happen, just when. I can imagine the reps at the ISPs saying that "those ports are only used by pornographers and pirates" as a cheap copout. Just my .02
If they just banned Port80 for good we would get rid of all the n00bs that cause all these problems.
I know for certain that MSN does. I had a friend who found he was unable to use a work SMTP relay and had to resort to using the MSN relay.
As for me, I use Qwest and have found that they will not allow me to keep an open TCP session, meaning my SSH sessions constantly stall.
Calling tech support resulted in an entertaining conversation during which the support guy insisted that if I could "browse my webs" everything was working.
Oh well, time to change ISPs...
Why either/or? Why not give the customers the option? Might make a nice feature. It will probably include a fee of some kind, however.
Business isn't willing to pay for products, innovation and careers, so we get brands, mortgage commercials and layoffs.
No, no, no, no, no, no, no, no, no, no, no, no, no, no, no...
and NO.
Do I need to make it any clearer?
Though I really want to blame all the morons with unpatched IIS servers, there's this little voice in my head that's telling me that Optimum Online was more than happy to prevent those of us that don't want to pay $100+ for "business accounts" from running web servers.
By the way, a friend of mine in Houston told me his cable provider keeps all its users behind a NAT - no incoming connections at all. I guess that's the worst case scenario.
If my ISP gave me a slick web interface that allowed me to open or block ports specific to when I connect, I'd be all for it. Set the defaults to block things, to protect against worms and the like, but if I want those ports open to do something, it should be easy for me to open them. I think that's the perfect middle ground. People who don't know (or care) will be protected. Those who care can easily do whatever they want. The ISP just has to make it clear where the options are.
allow users to request that certain ports be opened again for them. I know most ISPs won't like the admin hassle of opening port XX for client abc123, but I think this could only have benefits.
-Pete
They shouldn't block ports. There are many users that need those ports to make connections (such as me). ISP should distribute their own firewall/anti-virus software.... and blocking ports migh cause problems, too. I hate ISP with firewalls.
I want a pure, untouched internet connection. My ISP blocks port 80, and it really angers me.
This is another case of where techies do not think about things from the customers point of view. Of course most slashdotters will want their ports open - the customers on the other hand dont know what a firewall is, what the implications of their ports are etc - quite frankly they shouldnt need to.
Filter by default - if you need your ports or you want to do your own firewalling then get the "advanced user" account that costs less but requires more responsibility from the user.
If anything this is just an opportunity for ISP's to make another value added service to sell.
with the Internet being so much popular these days, I think that filtering some ports can save a lot of hassle, many people use the Internet just to browse the web, read email and chat, so why not?
On the other hand, ISPs may add an option to get an advanced connection, in which all the ports are open.
my 0.02$
The IT section color scheme sucks.
Blocking all other ports will just mean worms and virii will have a permanent effect. Each wave of them will kill off a port. When we run out of ports (because something will be written for each one) then the internet must shut down. Some redundant system.
Karma: Excellent^(-t/Tau), Tau=Wittiness/Trollishness
If ISPs just block port 135, then microsoft will just run their services on a different port, then ISPs will block that port, and microsoft will change the port again, and we will just continue that way until there are no more ports left.
I mean, with firewalls a lot of Windows exploits would be no more and then why would we need Linux et al?
Ok, </sarcasm> and all that, but seriously, recent Windows flaws must have been advantageous to the alternative OS:es. If Windows was both user friendly and secure, why would Joe Sixpack ever change OS?
The problem isn't ports - it's the applications that use the ports.
-- $G
I think it is entirely reasonable for an ISP to block certain ports by default especially if they provide a simple mechanism for a user who does want to expose those ports.
It's almost a value added service.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
I dunno, why stop at port 135, aren't there hundreds, and they might be useful for something apart from getting attacked. A bit like closing all the roads into a town so we can't be attacked by cars. Damn inconvenient and too bad if we get attacked by a train or aeroplane instead.
But I do have my email go through a service that filters the virii and spam before it even gets to my PC. And it is a lot kinder than the AOL filters.
-- it must be true, it's on the internet.
For example, I know:
Port Service
21 FTP
22 SSH
80 HTTP
160? Secure HTTP
But what are some of the others?
If too many ISPs start blocking ports and too many people start clamouring, then it'll be a great excuse for the ISPs to start charging more again. For an extra $10 you can have a few hundred more ports opened up, hooray!
Security through promiscuity is no better than security through obscurity.
I use Videotron cable in canada... When there was Nimdba (I think), they blocked port 25. It still is blocked... Port 135 is blocked too, port 31337 (Backorifice I think..) is also blocked, in total there are about 15 blocked ports if I remember correctly..
And I can't even opt-out dammit !
For those that want to read about the issue deeply, I highly recommend Lawrence Lessig's book: The Future of Ideas: The fate of the commons in a connected world.
Perhaps someone should inform them if this new invention called HTML. It's like a standard, the same standard that let us read /. without Proprietary addons from e.g. Adobe (which holds the PDF "standard" hostage, and is knows to make US "police" forces kidnap foreign visitors and throw them in jail) is IMHO not anything to condone.
That gives the customer control over everything that comes to their IP address on the ISP side.
I got absolutely no idea how such a beast could be made but it would be nice to stop it on their end rather than flooding mine.
"IF" the client accepts a kind of firewall service from the ISP, wich hardware should do the work?, Cisco Pix'es?, WacthGuard Linux Boxes?....
I guess it would be a bit like not letting cars to go over the speed limit and therefor being built only to travel at 60KPH etc. It would suck for the motor heads, just as default firewalling would suck for the propeller heads
Gordon Staines
I am paying for raw internet bandwidth and that is what I expect to get. I will not tollerate any filtering or restrictions on the use of my account.
Any ISP that mandates filtering should also provide significant discounts to their customers as they are no longer providing a full raw feed. Of course, this will never happen as the filtering will increase the ISPs operating cost so the end result will be less service at a higher price.
Block my ports and I move to another ISP. If enough ISPs start blocking ports to the point that I can no longer find one that meets my needs, then I will open my own again because the demand for the small ISP will be back.
A few days after Code Red (I think) came out, Road Runner (in Central FL) blocked port 80. I switched Apache to run on 81 and everything was fine.
I think it would be great for ISP's to block ports other than the most obvious ones on an opt-out basis for new accounts. Make a quick option via an online account manager to disable selectively and viola. Those who want access and have enough of a clue to maintain their boxes can probably figure out how to get to their ISP's website and disable the blocking. Those who think ports are the holes on the back of their computer can go along their merry clueless ways.
It will give lusers a false sense of security. I happen to travel with my notebook and one of the worst places where I get hit by viruses is not my home ISP or work, but hotel broadband connections in Asia.
If my ISP was protecting me, I would be complacent and I can see myself not updating the scanners / firewall on my notebook and getting hit the next time I went on the road.
The next issue is liability. If an ISP claims to protect and a luser gets infected, they're going to sue (atleast in a north American situation).
HELL and NO
I'm sick of this kind of thinking already. It already happens with so called "transparent proxies" with virtually all of the ISPs in the UK - think you are getting a direct connection to slashdot.org on port 80? Think again.
The trouble with this kind of thing is that clueless ISPs set it up to be the default, and don't bother thinking about those that don't want it. Their thinking is "well why on Earth would you want to be unfiltered?". When you ask for it to be switched off, you'll be treated like an oddball, because all of their other customers are happy, and you will just be treated like a "difficult customer".
Of course, putting the infrastructure in place to support two types of users is not justifiable when it's just one customer here and their that wants it, so the end result is that you don't get a proper connection to the Internet. If enough ISPs tout this as a "feature", you can kiss goodbye to direct connections to the Internet. AOL here we come!
Blocking egress port 25 ought to be standard for all residential ISPs. There is no reason for a consumer level access user to need to run their own mailserver, and in fact almost none do (on purpose). Of course, many Windows users recently were unwittingly running an SMTP engine in the form of Sobig.(?).
ISPs need to ensure that their residential customers have egress SMTP traffic restricted to their mail servers. Users needing corporate e-mail access most likely can via SMTPS or a VPN if their IT department knows what they are doing. Users need to be respectful of the fact that they are paying for a consumer level service. If you want business level service, realize this is a higher end cost for the ISP (yes, it is-- more bandwidth, possible peering issues due to ingress vs egress traffic, legal liabilities, etc.)
ISPs supplying service to businesses need to enforce the clauses in most service agreements that require the business to 'not engage in activity that will be detrimental to the network or the Internet as a whole' (or similar- IANAL). Spamming, viruses, worms, etc. need to be controlled by the business's IT department, and the ISP should trust their business clients and allow unfettered access. If a business does not know how to secure themselves, they should be contracting someone else to help them (this could include the ISP, of course). Otherwise, they deserve to be treated as a danger to the ISP, since complaints, blacklists, and reduced bandwidth could be the result of unrestricted access.
I'm no internet protocol expert, but all of this is just communication. The vulnerabilities that exist exist because people for some reason set up (or allow to be set up) systems of logic that automatically commit actions based on that communication. That doesn't mean that one should simply not listen to a channel of communication - that means that one should not automatically commit actions based on what is heard from that channel of communication.
If a service providing internet communication starts preventing it's users from even being able to hear some channel of communication for fear of the automatic actions of it's users' systems
Ryan Fenton
Port filtering already happens here, alot of the "isps" here (Australia) have no control over the network. The company who runs the network tells you nicly to go back to your reseller (who will do jack because you are only one person and it requires the support person to find there supervisor and fill in paperwork).
Charter high speed internet already uses some port filtering, they block outgoing traffic on ports 21, and 80 (and probably more) to prevent people from using personal grade for what their tech-support call "business purposes"(Web/FTP servers).
perhaps Comcast will start coming over to change my car's oil and change my kid's diapers too? After all, I must not be adult enough to maintain my own fucking computer.
Adelphia's filtering has gotten way out of hand in my area. So much so that I don't believe it warrants $40 plus basic cable to continue subscribing. On the plus side, Sprint will be here Wednesday to hook up DSL. I love voting with my dollar.
That's what many (most?) big ISPs would have you believe. Actually they don't want the Internet to be used for Web only, they also accept POP3, SMTP, and some form of IM.
The critical limitation ISPs like to make is that the "Internet Access" they provide is client-only. You can't serve web-pages, only read them. For a typical writeup, look at the Comcast Terms of Service:
(xiv) run programs, equipment, or servers from the Premises that provide network content or any other services to anyone outside of your Premises LAN (Local Area Network), also commonly referred to as public services or servers.
Note that technically, that clause doesn't even allow you to send an email to an outsider (that would be running a program to provide him content, after all!)
In my opinion, anyone selling a service named "High-speed Internet Access" and then placing such restrictions on it is engaged in false advertising. The term "Internet Access" has a well-defined technical meaning: that the provider will make an effort to deliver packets (on any valid port number)
Back to the topic of the article:
It would be bad if ISPs continue to block "dangerous" ports by default. They could offer an inexpensive "software firewall" service to their customers, "we'll protect your PC so you don't have to (as much)", but that should be optional.
My ISP blocks those channels to prevent me from throwing things at the TV screen when important talking chimps appear.
Seems pretty clear that the average home use needs to be firewalled. People who even care will probably be the same people who want static IP's, guaranteed uptime, and other goodies: business users and geeks. So even if they do lock down the basic service, you can always get a business account.
The best would be for there to be a mid-range account which doesn't have to pay the full business price (and doesn't have the same service guarantees) but does get have no-hassles access. I'd be willing to pay $5 more per month or so for that.
Here's a neat idea: you get your account, and they ship you a cable modem and personal firewall device. You're free not to use it (well, maybe the TOS say you have to, but nobody listens to them anyway) but they tell you that if you don't you'll leave yourself open to hackers and viruses. 90% of people will plug it in and forget about it, while the geeks will disassemble it to see how it works and then set up their own.
This is a great idea. Along with the firewall on my individual machine, I would enjoy a firewall run by the ISP that would allow me to create the rules. That way I am able to block packets that require a lot of bandwidth (i.e. DoS) at the ISP server, so the connection to my ISP doesn't slow because of it.
i blocked port 135. it was draconian. i didnt care. my network didnt work with it enabled. some things like privacy you have to honor at all times, but other things like access... well, those arent as important when you're in a crisis.
:D
on the flip side, i feel bad for anyone with an isp that does nat. first day i re-dhcp to get a working, natted connection is the day i go shopping for a new isp for home. *sigh* wish my own service worked at home
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
No. I work for an ISP, and people ask this all the time. My response is usually, we don't offer limited connections. I usually draw an analogy to the phone company... if you recieve prank/threatening/sexual phone calls, will the phone company screen them for you? No, that's your responsibility. If you can't handle screening your own calls, perhaps you shouldn't have a telephone. This is very similar to the flashing 12 problem...
FLR
At least completely.
Even if you do prevent a worm entering your PC the fact that it is active on a significant number of other PCs at your ISP can still mean you suffer the effects.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
My ISP has been blocking ports 0 - 1024, except 113 ever since I got my DSL. It really has been more use than pain, even though I wanted to get rid of it at first. But thanks to it, I havent had the need to install any firewalls and have been safe from all the worms and I can use microsoft networking in my LAN with simple passwords and it feels secure. All my boxes also get their ip's from the isp's DHCP server, so setting up things like NFS would be problematic without that firewall, now I know that if theres traffic coming to the NFS ports it comes from my LAN and can be just allowed to enter no matter what ip the box has.
I also run FTP, HTTP and SSH servers here, they run on nonstandard ports but that either hasnt given me any trouble yet, quite the opposite: I have received zero "scans" and zero IIS attack attempts (I run apache anyway though) to those ports, which again gives me the impression that its better this way.
Only thing i'm worried is that if my ISP some day takes off this firewall without making an announcement of it then all my systems would be left open, and I cant check if its still there unless I ask someone from outside the firewall to try to scan me or something.
...but I suppose when TCP/IP was created, noone thought of the Internet as today. There should have been a section of ports dedicated to "LAN software", which by common agreement would be dropped by ISPs.
It would keep a lot of services that aren't supposed to go outside the home where they belong, and if you didn't want that, you could put the service on a "public" port. What is happening now is basicly patchwork by individual ISPs, blocking ports but with little coordination.
I want to have a free Internet where you can use any port you want. But there are also quite a few services that shouldn't be accessible from the Internet too, customer-side firewall or not. Latest and greatest is the Messenger service SPAM. Why would such a service be open to the world? But there's no "private" port you can put it on where only LAN requests come through. Not unless you do IP filtering, but wouldn't it be just as easy to have some port range that you simply know won't be sent to/recieved from by your ISP?
Kjella
Live today, because you never know what tomorrow brings
One local ISP (I no longer use them) blocks ICMP and a host of other ports, filters mail for SPAM, provides groupware-like features (calendar, message boards that are not Usenet).
For the same reason I don't want a AOL or MSN, why would I want an ISP that gives me the psuedo-internet? There's a lot more to computers and than internet that just what some companies want us to see.
What's next, DRM & signed internet applications to use my Internet connectio? (Uh wait, that's partially MS' vision already...)
Some time back one of the two cable internet providers in Australia blocked port 25 without warning their customers. People who had their own mail servers could not get mail.
What kind of world is it when a three page, "paper" gets a link on slashdot? No data was analyzed, the opposing arguments were set up as straw men, and the dominant rhetorical technique was mind numbing repetition.
OK, you've said what, six, seven times, now, that three ports should be blocked. But why? Isn't this just the simple, elegant and wrong solution?
I'd prefer to see a lot of the basic technologies redesigned from scratch. Like an email system where you have to have some kind of verifiable identity to send mail, even if it's only a $5 dollar electronic certificate. But that's not going to happen any time soon. In the mean time, you can hardly blame ISPs for wanting to minimize wasted bandwidth, and respond to customer complaints -- even though the only way to do this is restrictive and kludgy filtering.
Actually, there is probably a better way yet: An ISP can block it's ports if it wants to, but it must tell it's users, and there needs to be at least two different ISPs in any market.
Some ISPs could advertise that they block $a, $b, and $c, as a security measure. If the customer doesn't want to think about security, they go with those ISPs. Others could advertise they allow access to the entire net. I would sign up for that, and do my own security.
Of course, for this to work there actually needs to be competition in the ISP realm. Not a given at the moment.
'Sensible' is a curse word.
And my machine should be only as open as I want it to be. If you want to be lazy about protecting your machine, it's your loss, not mine. And if I don't want your infected piece-of-shart machine to access mine, so be it.
Other users inside the same ISP can still cause you problems.
With the Republicans in control, count on all your ports to blocked, censored, and filtered.
As long as there are ANY incoming ports left open then nothing stops a trojan from using it. Even if ALL incoming ports are blocked nothing stops a trojan from making an outgoing connection itself.
Then you (as well as your employers) are very short sighted. I could well be using those ports. Many software programs that dynamically allocate ports likely will use some ports you block, and users applications will just fail "randomly". And, of course, your tech support people will deny all knowledge of it. Or, in the case of well known ports such as port 135 mentioned in the original posting, I've actually used port 135 to share entire windows directory structures across the Internet (between a system in Indiana and one in North Carolina). It was slick and very handy, although too few understand how cleanly (and safely) this can be set up and made to work. How can slashdot readers really advocate ISPs blocking the utility of the service we buy because some people who also buy it are too lazy to learn to use it properly?
I'm an American. I love this country and the freedoms that we used to have.
The simpleminded answers is 'sure for everybodys protection block the ports'.
But you see they are our ports, and our tools
Each port taken away removes a piece of the net, the net isn't the web.
The wrongful lesson in a post 911 world is that we all somehow can be protected.
And that, that protection requires giving up freedoms, privacy, ports, DNA it's all the same thing.
There is no way in hell you would have given these things up when you felt strong and safe,
but now that you are frightened you'll do almost anything suggested in an attempt to hide at momma's breast.
Ports are power, and if North American and European ISPs plock ports, the effect won't be to make us more secure, only to make us weaker.
And to make us less than those regions of the internet map that won't block those ports.
Which four ports will we be left, and how much easier will it be to monitor and control the traffic on those ports?
Trading freedom for security is like trading love for life, it's a bad deal.
That's some quality work. Where did you get the Jeff K filter?
If we effectively kill off every port on the internet.. what is the point of having the TCP layer protocol? And if we killed it, wouldn't a lot of devices simply stop working? So I ask.. WHY!?
Personally, I love the idea of having ports. It allows a lot of intrasystem communication, even if it isn't the best way of doing it, and it allows many many services to run on one machine. hell, without TCP, we wouldnt have IMAP or POP3 or SMTP etc.. (unless someone did them from a web front, sorta like yahoo, but then it's the same thing on their end....) Somewhere down the line, people have gotta realize, fixing the problem doesn't mean you have to break something else in the first place. ISP's need to let the users deal with viruses, even if they are 100% computer illiterate. Maybe they should offer a service where they will patch your system for a price, instead of simply blocking a port that someone may have been using constructively. This really outrages me, because Adelphia, my Cable provider, has killed so many ports due to virus outbreakes (Codered killed 80, MSBlaster killed 135, 139, 4444, and a bunch of UDP ports), ports that I would have liked to use (port 80 mainly). I have to redirect to 8080, and not many people will know how to do that. Please people, think before doing something so drastic as cutting off all the ports... There are much better solutions.
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
Then how is an application supposed to discover on what port a machine is offering a service? What if you didn't know on which port Slashdot was running its HTTP server?
Will I retire or break 10K?
the internet was built by geeks.
Build by those who knew what they were doing.
As such, how many geeks need the isp to act as a firewall?
Answer: None
Solution?
Simply have the isp be a firewall for a limited number of ports(ie 135) that are generally only used for attacks
For the poor geeks? Make it a one phone call affair to quote enquote dmz themself ahead of it, no hassle aside from initial firewall.
Its not completely "open" still i suppose, but its not all geeks anymore either:-p
Sure this starts out helping the net in general and preventing everything from going to hell when the next virus comes out.....but what if the RIAA after some successful lawmaking decides that whatever ports Kazaa is running on are bad/illegal and must be blocked? Or what if program X runs on port Y and whatever group doesn't like it decides to block it? Obviously there are other ways around it....but not everybody knows those. Maybe I'm just being paranoid....but with some of the things that have happened lately, who's to say.
Buy Steampunk Clothing Online!
Wouldn't it be more smart for an ISP to deliver this firewall feature as a free or paying service for which you could opt-in ?
I know my ISP is already providing optional free spam filtering which I can enable/disable using a simple webinterface.
-red.
I agree with both blocking and allowing for unblocked service. I would expect some ISP, like AOL, to have ports like that are blocked with filtering and other stuff for the user who wants just WEB and email. On the other hand, if I have an account with joeTech.com, I would expect all the ports to be available and no filtering. In other words, it would just be a consumer choice. I don't see a problem with doing this. Who knows, there's probably some ISPs out there who are blocking and we just don't know about them.
There is no spoon or sig.
I spend from 10pm last night til 4am on a conference with the worst bandwidth provider in arlington texas because one of my clients was getting his one of his T1 lines bombarded by a ddos attack. The concept of dropping non-source routed packets was foreign to them. I guess the point I'm getting to is, there are some things the guy on the other end of the T1 line can not do for himself. Even if he had the best bridging packet filter in the world between his T1 and his machines, the pipe would still be screwed at the router above him. So yeah, you bet your ass the provider needs to step in when things are happening at their level. And if they are selling T1 lines to people, they should have the kind of talent in place and IDS systems in place to detect attacks and crap of this nature and do something about it.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
on port 80 anymore, so why bother running it ?
If your web server isn't providing content to the Internet, you should have been able to keep using TCP port 80, as it should have been firewalled off from the Internet.
ISPs would love this idea, as it allows them to build a "Walled Garden", and then charge you each and everytime you walk through the gate.
- ISPs start blocking ports
- All software uses port 80
- ISPs start using more complex and intrusive filtering that blocks everything that doesn't look like MSIE
- The internet is officially shit
I can't fucking wait.Game... blouses.
I think the danger is that if the Customer thinks his ISP is making him safe, he is in a safe sense of security. Things will still get through via open ports, activex, email, etc, and the customer will bitch and whine because their ISP were supposed to be firewalling for them.
Well, I guess the underlying assumption here is that the software using the ports 135, 137, 139, and 445 is broken beyond repair either from the security perspective or then the software is very hard to configure properly (because it seems people accidentally misconfigure it to be open to the entire Internet). Either way, the suggested measure would be an unnecessary limit of free communication for no other reason than a common implementation of certain protocols.
If it is possible for clueless users to accidentally run software that puts their computers at great risk, then I say there is a serious usability problem here. If the software implementation and/or protocols itself are insecure, providing a better implementation/protocol is a step towards better future. Trying to shift the responsibility to ISPs isn't the way to go.
But they should probably not be open by default. If I were running an ISP I'd close off all ports and give users a web page where they could open the ports that they wanted. (as well as 'groups' like "everything" "common vulnerabilities" etc).
autopr0n is like, down and stuff.
I'm not sure about those people whose responses i've read so far, but my firewall has made little difference to the impact of things like Blaster on me. Yes, it's correctly configured (blah blah blah) but the problem I am experiencing is the usual requests for help from friends and co-workers. :-)
When Blaster came out I spend every evening for the following week at the homes of friends and family patching their systems, cleaning them up, and trying to get them to realise that part of the price of being on the Internet is to keep clikcing on the Windows Update link and keep their anti-virus software up to date.
While I have so far scored a good quantity of beer and associated comestibles as part of the deal, I'd rather that there was an easier way to protect people from these damn worms, etc.
If those less technical users could get a 'safe' ISP that would provide blocking of SPAM/Malware on SMTP, as well as some basic web filtering for nasties and cursory firewalling (ie block incoming traffic to ports below 1025) people would be a great deal safer and my life would be easier.
Provide a web interface to allow users to restrict by port or protocol, and a lot of these worms would just die. I see Blaster probes on my dial-up link on average every two seconds. Probing on Port 80 seems to have vanished (side effect of people cleaning/patching their own systems in response to Blater ?), but it is still eating bandwidth. I'd love the ability to block at the ISP all incoming traffic destined for TCP port 135 (as well as some of the other known ports). If nothing else it would make my analog line faster
I'm *shocked* that SANS would advocate this or even allow this position to come out. While I'm all for open debate and idea-sharing, this is so incredibly wrong it's ridiculous.
It seems that the writer and SANS have *NO* idea what it means to port filter on hardware devices, and how strenuous that can be on routers and switches in a network as they are obligated to examine every packet deeper and deeper into the IP packet format.
Similarly, blocking ports directly at the edge doesn't work too well either since it's a manual effort all too often to maintain CPE gear @ customer sites, and the inevitable customer phone call that (X) doesn't work.
Lastly, last time I checked, these ports we're so interested in blocking were used by MICROSOFT applications. The only OS manufacturer in the world left that leaves everything turned ON. Last time I checked, this was the INTERNET, not MICROSOFT NET.
I am totally uninterested in allowing Microsoft to dictate directly or indirectly how my customers can communicate across the Internet. What's next? They decide to use a port range of several thousand ports for a new flavor of RPC and then we go block several thousand?
This is a *very* slippery slope we don't want to go down, because the RIAA, BSA, and all these other corporate idiots are going to try and twist it into making it a requirement.
Microsoft and others need to wake up and start drinking the security soft drink - either write responsible software designed to be used on an insecure Internet or take yourself and your products off the Internet with turning off default capabilites, and writing RESPONSIBLE SOFTWARE like everyone else does instead of playing money margins to get away with what you can.
Step up, Microsoft, or get off the Internet.
When you open your account, it shoudl be firewalled.
When you go to your account management page, you shuld be able to open or close ports at will, or disable their firewall of your account all together.
So, you start with the default of protecting the stupid or uninterested and allow it to scale on demand.
And in a SOX-Firewall-Proxy style activity, you sould be able to have an applicaiton that temporarily opens ports.
(all without intrusive record keeping, because requireing the ISPs to keep records of all the tiny changes, presumably for some obscure government anti-music-terrorist scheme hatched by some evil anarchist hating "special interest"; because having to track these records would be the only technical or financial barrier to getting this done more or less by next weekend... 8-)
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Firstly if there was a regulation put in place that required ISP's to default block initial ports for all of their customers there had better be some funding that comes along with that regulation because quite simply on even a smaller ISP's network (say 10 cities in the US) the manpower cost to implement this kind of filtering is not cheap. Secondly ISP's have enough problems making money and want to leverage things like this as services to increase their revenues. If you think that ISP's should by default block certain ports and provide protection for end-users then you may as well give all the networks services of the nation to AOL Time Warner. Let us also not forget that M$ doesn't come out of this scott free either with their careless enabling of services by default as well as poor coding. (I blame the former more than the latter) Thanks, -k
m
testing out my trending skills
Imagine, that an ISP DOES start filtering as part of it's normal service. Then suppose that an additional attack vector is found that circumvents the ISP's 'firewall' who's at fault? It's like ISPs that try to filter usenet, are they then responsible when porn gets through? It's a slippery slope that would probably be better not to get into.
And if they start what's to stop them from taking a payment from Microsoft to block Yahoo Messenger, AIM, but not MSN?
ISP + Firewall = Bad.
What if it is just turtles all the way down?
Im sure many have posted cimilar threads, but Im greedy and want my own...
To the point though, why is there a problem in blocking ports when most users only use at most 3 EVER(25,80,110). However, the best this would do would to be a temporary gain. Its always been a game of cat and mouse, and it always will be. By taking an upper hand, all that would be accomplished is that new viruses would take advantage of ports that are allowed by the majority of ISP's.
Would a better approach be to let that user have full availability of all inbound traffic to let them see the 'naked net' and then just have restrictions on what goes out? It would still leave the responsibility on the end user to avoid complacency, as well as block anyone not able to fix the problem at hand from infecting others. I provide the resources of an ISP for VERY few people, and this is the way I have chosen to handle it personally.
Do I think that this should be legislated? absolutly not! It would serve no meaningful advance, and be nothing more than another regulation that would have a fine attached to it in an already worn thin atmosphere.
In the final alalysis, nothing will compare to technically competent people at those ISP's. Even if the net gain is to stay just barely ahead.
For 95% of people.
And you should care "if port X of all the clueless people's machines get abused" for the simple reason that it may effect your service too.
I don't know how fat your pipe even if you are a knowledgable home user with a firewall on your end of that pipe a significant amount of incoming traffic can still effect you connectivity even if you are dropping it once it's come accross your link. It could even cost you money.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
However.. ISPs have to pay for bandwidth, take support and "deal" with useless traffic and network congestion from virii and remote DoS attacks.
For this reason we chose to filter ICMP.. which we have been doing for 3 years with no ill effects. This minimised the effect of the latest attacks and now Australia's bigger ISPs (Telstra, Optus) are looking at my network as a test case for the rest of Australia.
It also means you cannot ping or traceroute our customers.
RCN for example, blocks inbound 25/80 for all customers. Want to run your own mail/web server? Pay additional $10/mo. for static IP address.
your isp should be like your country, example your country protects you, your isp should protect you. your country reserves its right to punish you as it sees(extradition, etc) your isp should have first choise. the isp should be your isp should be defending its people, and protecting its network, and created services that help those in its "matrix"
For The Best Jazz/Hip-hop fusion > COlD DUCK
Theres no reason technically speaking this couldn't be implemented on a per user, almost completely automated way.
This would more than likely need to be custom written to implement this as many ISPs use various firewalls (both physical and software), radius servers, etc. Anyone please reply if you know of software that already provides this functionality and ties into a number of brands of radius and firewalls.
But theres no reason why a user couldn't log into his or her account and through a web interface select a number of predetermined levels of filtering. Defaulting to all open of course, and from there become tighter and tighter. Theres no reason either that a user couldn't have his IP address switched to a NAT address also. Most users, especially those on dialup addresses will never need to have ports open to the world. Gamers on the otherhand might want to avoid this, but the ma' and pa's of the world that login for email and to look up simple stuff online will never need to have a public IP address.
..There's a-dooin's a-transpirin'
Mostly they do it so people like me don't set up websites and leach the living hell out of their bandwidth, but they've recently cut port 25: all mail has to be sent through THEIR mail server. If you want to set up one of your own, you have to switch the default ports.
Not too pleased, but it's cheap and I'm broke so it'll have to do for now.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
home computers shouldn't be directly connected to the internet anyway...
To paraphrase a TV court room saying (Law and Order), we are facing the old slippery nipple here.
Once it starts where does it end. Our freedom to communicate could be severely restricted. Suppose that some ISP decides that P2P is taking up too much traffic or the RIAA gets a court order to block all known P2P ports. They could potentialy block everything except basic web, ftp and mail services?
that is all I have to say.
From excellent karma to terible karma with a single +5 funny post...
Ok a computer has only 65536 ports, that is if I am not mistaken. Not all of which are used, but let's say some viruses take advanatage of exploits, the next virus does the same etc. etc. Then all 65536 ports become blocked. Then we'll have to come up with a whole new protocol for data transfer.
-illumina+us "I put on my robe and wizard hat..."
I had opened the article specifically to make this same comment.
Just like self-administered hosting services have successfully provided "servers for the little man" through virtual hosts and web configuration interfaces, ISPs could provide security for the average joe.
Integrate the UI well with your webmail (spam-filtering, etc) and other services, and your ISP portal can actually be more useful than as a bandwidth test.
Freedom is the freedom to say 2+2=4, everything else follows...
As part of their ADSL plan - iiNet by default blocks a few ports (i can't remember what they are) this is a good idea as people do not generally run webservers or anything.
Of course you can turn this off - but what i would like to see is user selectable port blocking as a part of an ISP's toolbox, so you can go in and say - i want ports 135, 139, 666 etc etc blocked and the ISP filters those ports.
it might save ISPs couting millions of small virii packets.
A Tale of 2 idle hands
Group one (the default): all outgoing ports work. No incoming ports work. You may or may not be dynamically allocated, and your hostname looks like it. You're allowed to use the ISP's smarthost.
/29s.
Group two (for those who ask for it): No filtering. You're statically assigned addresses and hostnames, either in the ISP's domain, or they do PTR delegations so you can handle it yourself. You are not allowed to use the ISP's smarthost. In other words, if you do something stupid, you and only you get blocked. You can't spew through the ISP's mail server, so you can't get them listed as a multistage relay (DSBL, others).
My parents and many other people would be plenty happy in group one. There is no reason for anyone to connect to their systems. All of their legitimate traffic comes from outgoing connections which they initiate.
Someone like me and many of the readers here would opt for group two. We don't want to use the ISP for anything but routing. We run our own mail servers, DNS servers, and so on. If something stupid happens, we own up to it and deal with the blocklisting or filtering that may be slapped down on our little home networks - typically
What stinks is when the ISP forces all customers into group 1 and doesn't have a group 2. Texas.net, I'm looking at you. I went with the evil telco DSL just because they weren't filtering incoming TCP connections
The source of the problem this is addressing is a operating system that has every port opened by default. That operating systems owner can pay for this. They should have to fully fund it at the user level not the ISP level. Otherwise STFU. I have a cheap ass packet filter router on my cable modem. Guess what I don't have any problems. This is an appliance a moron can configure. The manual has pictures even.
I run Linux. My systems are doubly secured with having all default open ports that are not needed shut off. I pay my ISP for full internet access. SAN needs to get its head out of it's ass. I don't need top be made to suffer because Microsoft is to stupid and greedy to build security into any of it's products.
As you can see I don't care about my karma.
When I read that my ISP (Cox) was going to block port 135, I started typing out a letter to them, stating my objection to that action. I was going to say that, as a Linux user, I was not affected and should be able to opt out of the block, etc...
Then I realized how pathetic I was sounding, and I deleted the file.
This thread is making me wish I had sent that letter.
Are all you pro port blocking people thinking about the fact that the RIAA would use this same concept to try to have ISPs block any ports that they wish? Once it becomes acceptable to block a few ports, it will not stop? Once taboo against blocking is lifted, all it will take is a little money in the right political lacky's pocket. That is the real problem with this. Give inch they will steal a mile.
Just don't automatically block ports. Full open TCP/IP is why I signed up with Speakeasy, but they're not available everywhere. Give da peeples a choice, I say.
You are not the customer.
I think ISPs should block certain ports like 135-139. Too many people have these ports wide open. Once I was given a broadcast ip... and a few hundred windows boxes destroyed my available bandwidth.
If you add up all the accesses to port 135, I'm sure it comes to a lot of wasted bandwidth.
Of course certain ports should not be blocked if the user wishes - like port 25. Several ISPs want you to pay EXTRA for a static ip just to have such ports unblocked.
Stuff like Blaster is causing them havoc (with bandwidth, router CPU loads, and tech support) so they pretty much have to block this stuff to keep it from getting further out of control. Its usually not fesiable to unblock ports for one user while blocking everyone else.
Thats what you get for paying for consumer-level internet access.
It should be up to users to protect themselves, or it should be an OPT-IN value-added service provided by the ISP, even if it costs extra.
I pay for bandwidth, plain and simple. I want every port open for whatever use I so desire, with no blockage from the ISP period.
Some morons at certain ISPs recently decided to block all pings, period, on their broadband networks. I run a small computer consulting business, one of my specialties is ipsec-connected subnet-to-subnet VPNs for small businesses with dynamic IP broadband connections. The scripts that make all this work depend(ed) on being able to ping various places to determine if the internet was up, if the peer host was up, and if the tunnel was up.
Since someone didn't RTFM on stateful packet filtering, and figure out how to safely allow ping traffic while blocking DDOS attacks, all my scripts broke (well, among those home users using those certain ISPs that connected into the office). Who in the seven hells ever thought an ISP would block ping!!! I can see a popular website doing it, but an ISP?!? Across their entire network?!?!? Baka!
Anyway, I had to quickly rewrite the scripts to pull entire webpages down to test connectivity, and dump them into the bit bucket, instead of nice, tiny little ping packets. (Let's see 'em block http) Wastes bandwidth, and less elegant too! wheee!
Cookie-cutter broadband ISPs without the technical knowledge to properly configure their routers are NOT people who I want determining what ports/protocols I can and can't use. I pay for bandwidth. Leave my ports alone!
Styrofoam IS biodegradable, you're just impatient!
One reason I can see for ISP's not offering port filtering by default for virus/worm protection is the liabiility issue. Can you not see the situation of someone relying on this functionality, being hit by something that comes down the pipe, then wanting to hold the ISP responsible because of their negligence in not making the filtering "good enough?"
Why not take this a step further by blocking anything that the user did not request in a NAT-like fashion? Broadband router users have been enjoying the security that this provides for ages, and I see no reason why everyone else shouldn't, too.
Security-wise, this would block many worms (both present and future) because they would simply be unable to connect to any system. Besides that, it would also block backdoor trojans like NetBus and BackOrfice because, although they'd still be listening, no one would be able to connect to them and control the user's system.
To address the NAT-type problems that this would create, ISPs could automatically make certain exceptions for port blocks that interfere with popular games and whatnot. For advanced users, there would be a control panel (much like those built into NAT firewalls) where they could unblock any or all of the ports.
I made a PHP/MySQL library that prevents SQL injection & makes coding easier!
However, it is the ISP's job to maintain service quality for the other thousand people served by the same point of presence that you use. It is its job to protect its service from DoS attacks, to ensure that those who don't have a worm are able to use the service.
Therefore, when a worm outbreak borders upon DDoS, it is very likely in the ISPs' best interest to interfere with it. They should do so minimally, because their purpose in so doing is to minimize its effect on their business and responsible network operators -- not to Quixotically defend irresponsible network operators.
At different stages of an outbreak, and depending on the specific behavior of the worm, an ISP's best response may differ. For instance, if a tiny number of customer hosts are infected and are blasting huge amounts of traffic, the best response may simply be to remove them from the network, or block the relevant ports on the proximal router.
If they call and complain, the first-line technical support can read off a prepared statement, which (when boiled down) says basically this: "Your computer was being used for a Federal crime, breaking in to other people's computers. We shut down the network to protect our other customers from this criminal activity. It's possible your computer was infected by a virus that was being used to perpetrate this crime. Because of this possibility, we didn't call the FBI and report you as the source of the criminal activity. It's your responsibility to keep your computer from being used to hurt other people." They can then go on to offer, for a small fee, a CD of licensed antivirus and worm removal software -- or, for a larger fee, a visit from a technician who will run the same. Connectivity is not restored until the system is clean, whether by this means or any other.
In the case of a widespread outbreak, where more than 5-10% of the client systems are infected, it's probably more expedient to just block the ports on the core routers first. Then find a way of enumerating the infected systems and dealing with them, if it's deemed worthwhile.
Of course, any such measure should be announced. Exactly how to announce it I'm not sure, since many ISP users don't use an ISP mail account (and the ISP must not send spam), nor do they read the ISP's local newsgroup or visit the Web page.
In the case of a local ISP, the newspaper is always an option.
Many of the cookie cutter ISPs cannot keep their own mail server running reliably. I have many customers with DSL or cable broadband at work and at home. Most of these customers have a linux box sitting there as a firewall/vpn/mail server, etc. A properly configured Linux box running postfix is WAY more reliable than most mom-n-pop ISPs seem to be. You can also actually figure out what's wrong if there are mailing problems, if you have control of the server.
Styrofoam IS biodegradable, you're just impatient!
Democrats would feel this is a job for big government. You have to protect people because they're obviously too stupid to protect themselves.
We used ACLs in the access servers of a Brazilian ISP, to filter some "abuse" ports.
The filtered ports were 135, 139 (you don't need windows share over the net) and the default ports for BO and Netbus.
It protected some clueless users, prevented some clueless script-kiddies of doing damage.
We aren't doing that filtering anymore (the new ISP doesn't use them), but I think that they are very usefull.
The problem, of course, is that most who really want a consumer-style connection won't go for it because they can't see any benefit to the added cost; becoming a worm or virus transmission vector annoys others but does not usually degrade the infected user's consumption experience and therefore managed firewall services don't make sense. The solution to this is an addendum to terms of service that stipulate that systems which are reasonably believed to be infected with a worm or virus and are adversely affecting networks as a result will be dropped from the network and no refunds will be given. Service will be restored only after a professional (partnership or more managed service opportunities here...) has inspected the system and found it clean of any such threats. Since this will be both annoying - unexpected service termination - and expensive - hourly fees for system checks won't be low - users will find this type of low-cost insurance valuable and useful. Probably enough so to pay an extra 3 or 4 bucks a month, surely enough for the ISP to make a nice profit as well.
Personally, I'm paying a hefty premium for an ISP that does not block ports (Speakeasy), and I would not want them to start blocking the ports. In fact, when people requested that port 135 will be blocked, a high-level representative from the ISP presented the following argument against blocking (reposted from USENET, group speak.easy):
"Not only is it against our policy and core services, the overhead involved
with maintaining such a block is not feasible for us to support. Blocking
ports isn't a final solution, either.
Kat Oak"
If someone opens a port on the computer, it means he wants to be able to communicate; and at that point he/she should specify who/where connections will be accepted.
That's right.
In my university all high speed internet users (residence, townhomes or laptop users) get to choose between the "Browser" and "Unprotected" zone.
I think other ISP's can do that.
I'd personaly go with unprotected but for IMO most dummiest of course the Browser mode is better .
I worked at a large web hosting company for many years, so I've dealt with these issues before. Here are my predications.
First, ISP's and web hosting companies are going to increasingly block ports. You can complain all you want about this, but it will definitely happen. 99.9% of the customers only care about SMTP, HTTP, FTP, SSH, TELNET, POP3, and IMAP. I may be missing a couple, but you get the idea. On a percentage basis, there is so little demand for the other ports that I suspect most of the larger ISP's already block a good deal of ports. They are just playing the odds. The only way you will be able to avoid this blocking is by co-locating a machine (which is what I will probably do). Even then, you may have to shop around.
Second, an increasing number of applications will just tunnel through another port. We already see this trend by companies (like www.no-ip.com) that sell the ability to reflect email back into port 25 from another port. This is useful if your ISP blocks outbound port 25 (both AOL and Earthlink do this). This leads to my third predication.
In the future, all traffic will be port 80. I'm being partly facetious with this predication. But it may not be as far-fetched as it seems at first glance.
But shouldn't they simply block the ports to those idiots who cause all of the trouble. I mean they can tell who is pumping out all of the unwanted and unnecessary traffic. So block them. For those of us who don't get virii, or have these problems, we would still have everything, and for the others (mostly unsuspecting joe shmoe windows users), they wouldn't be the wiser. Problem solved.
But to just blatantly block things is ridiculous. I work for a small software company, and our ISP (Charter Media) have blocked port 135. So those of us who do not work at our main office can not get to our mail server through outlook. We are forced to read mail using exchange webmail, and if you have used it, you know how limited and annoying it is.
So, this just block the ports blindly is ludicrous!
You will never "find" time for anything. You must "make" it.
They started blocking 20 through 25 and some other random prots . At first I thought I had fubard my connection , but no . When I phoned they denied it at first untill I pointed out that I had connected the same computer with a different connection and everything worked . After bitching at them for just over 1/2 an hour ; they agreed to reopen port 22 (ssh is your friend :-) . However here I am a couple of months later and guess what port has been blocked again .. I'm even on a "premium" connection .
I dont have anything against default port blocking ; but let me opt-out . I'm smart enough to know wtf is happening*.
*Most o' the time .
He made the same points before on various mailing lists.
...and each of these points has been picked apart each time he has made them. This is simply a bad idea, reminiscent of the "Great Firewall of China". The potential for abuse is too great. Virtually no one in the security community agrees with him, yet he persists!
Sheesh, what wimps.
Blocking ports to internet traffic just stops one entry point, but as wireless becomes more popular, we'll probably see more worms spreading that way instead.
When Code Red was at its worst, Comcast took it upon itself to filter inbound http requests to some (all?) of its subscribers. While this did prevent new IIS infections, it also disrupted service for a large number of people running more secure web servers, myself included. The way I saw it, I was being forced to suffer for my neighbors' stupidity. I lost the freedom to run a personal web server because there were too many morons sharing the network with me.
I like the idea of an ISP offering "secure" service as a [free] option. I even like the idea of enabling it by default, and forcing the customer to explicitly remove the feature if they don't want it. What I don't like is having my service crippled because someone else is too careless or clueless to secure their PC.
On the other hand, this would likely have the undesirable side effect of teaching users that they need not worry about security. "Why bother keeping my OS up to date? Isn't it my ISP's job to take care of me?"
i want more gopher sites.
grey wolf
LET FORTRAN DIE!
About the time blaster and sobig.f were doing the rounds, I had some websites to upload. Unfortunately, my ISP decided it was expedient to throttle FTP traffic to death. Luckily, eventually I managed to use SFTP to get in... but I was really not happy.
Doesn't this in some ways violate the end-to-end argument? (For those unfamilar with the argument, http://www.jtrix.org/documentation/technical-overv iew/node22.html)
It seems that the job of the ISP is to provide the connection, not the security. Security should be taken care of at a higher level/layer. It has been argued that one of the reasons that the Internet has scaled so well is that it stuck to this design principle. If we make a habit of violating this principle for the sake of convience, we will end up with something that's far less useful and more narrow in scope that what the Internet is now. As we cannot forsee the future uses of the Internet, nor the individual needs of every user, it would be silly to apply an one-size-fits-all approach to the Internet. Let the users decide how they want to use and connect to the Internet.
EvilCON - Made Famous by
There's no real diff anymore anyways...they both want to destroy us from within.
Vote Libertarian.
-uso.
Dreams, dreams, don't doubt dreams, dreaming children's dreaming dreams. Sailor Moon SS
-
Basic access: $9.95/month.
-
Port unblocking monthly charge (SMTP): $2.95/month.
-
System administration charge (port unblocking) $15.95.
-
Server surcharge: $5.50/month.
-
Outgoing mail virus filtering: $3.75/month
-
Outgoing mail spam detection: $2.50/month.
-
Spam-prevention deposit (refundable after one year): $149.00
-
COPPA compliance fee: $1.50/year.
-
RIAA file-sharing reimbursement fund: $2.05/month.
-
MPAA piracy prevention program: $1.95/month.
-
BSA software piracy monitoring: $1.59/month.
-
Incoming E-mail premium virus filtering: $2.29/month.
-
Incoming E-mail premium spam filtering: $3.39/month.
-
DELETE ISP-hosted webmail service: $1.50CR/month.
-
Good-customer discount (no TOS violations in last three months): $4.05CR/month.
Thank you for your business.However, the ISP should assist the user with filters on a user-to-service level (if possible). If people can't protect themselves, who can?
And where exactly is the rule written that consumers cannot or should not use port 25?
I guess you don't think we should serve http ports?
And no telnet/ssh either. Remote administration is the kind of thing a consumer doesn't need.
When I pay for my "consumer-level" DSL, I have some expectations that I'm willing to compromise on.
I know the tech-support people will not consider me a priority. I know if they have network problems, they will not work the extra mile to minimize my downtime. I know I cannot talk about "downtime" with them with a straight face, because they don't have those kinds of obligations.
I do expect, however, to be able to send and receive little packets of data every once in a while, at a certain speed, over whatever ports I want. I expect my paltry email packets to be dealt with equally with my fancy packets of video and audio (which certainly cost more bandwidth to my ISP, spam or no spam).
I do expect that my use is not restricted by "whatever is likely" other people need or do.
I agree with you that most users should have port 25 blocked. Actually, I think most BUSINESS users should have port 25 blocked too... a lot of small offices do not need, and do not have, their own email server but were happily sending emails through their business DSL lines due to SoBig.
Let BOTH kinds of users specifically remove that block. Force them to restrict it to a specific email server (or a list) if you want.
If they need it, whether it's a geek or a full IT department, it wouldn't be a problem because they know what they're doing.
But don't assume that a consumer never knows what he's doing, or that a business necessarily has a clue.
Freedom is the freedom to say 2+2=4, everything else follows...
for f***ing up the Internet. It's another case of MS's total disregard for the commons, and their unwillingness to acknowledge the fiduciary responsibility that goes with having a monopoly.
not only does my ISP block port 135, it also blocks all ICMP packets, making monitoring my connection, and diagnosing problems difficult. Furthermore, I called and asked to opt-out, but the tech guy I got said he couldn't. (My ISP is wide open west)
I really need to learn to suffer fools gladly, but asinine suggestions like this make my blood boil. I don't need port 25? What kind of dinkus statement is that?!
...I don't feel very sorry for them.
Firewalls are no substitute for application level security anyway. The root of the the problem is unpatched network applications, not open ports. Open ports are the reason you have a network in the first place, for christsake! People who continue using crappy software will continue to get hammered. Someday they, or their vendor, will learn. And people or vendors who don't learn?
I certainly think an ISP has the right to stop or curtail service for people clearly identified as causing problems. But the fact that we're even discussing pre-emptive censorship is galling.
--Lawrence Lessig for Congress!
IMHO, permanently closing the ports at the ISP level will only have pernicious effects on the long term.
Here is the scenario:
(1) ISPs only leave http (plus some other ports) open for general public accounts.
(2) Everybody's happy.
(3) Software people (who by default love to push the envelop) start implementing new services via tunneling using the remaining open ports.
(4) Some asshole finds a way to hack a tunneled service.
(5) What do you do to block the assholeware from spreading? Instead of telling people to temporarily close a particular port until the OS or App vulnerability is fixed and the storm subsides, you know have to get the right software to sniff and filter out the packets going through the tunneling port.
The Internet -is- open even to this day. However, the problem is that its -too- open. Its like the new AOL commericials (at least in my area). Majority of computer users have huge gaping security holes in their software either because they have open ports, Windows automatically shares your hard drive by default or because they just don't bother to update Windows periodically.
The idea of an open Internet is being defeated in the, U.S., courts with the RIAA virtually forcing people to go underground just to keep from being dragged into court. I'm sure many Slashdotters have already taken measures that they can relate to.
I can only operate my own SMTP server to send out mail if I relay through my ISP. I just moved into a new house which is thankfully served by a different cable provider than my old home. My old (RoadRunner) provider actively blocked my server from forwarding.
OTOH, I can't really think of a reason now or in the future when someone should have a legitimate reason for leaving certain ports open to the Internet (like 135 for example.) But I'd still hate to see it *not* be optional. The not optional route is what burnt me with AOL's blocking dynamic IP addresses from sending it's users any mail.
Quoth he
"It's all academic anyway..."
Ok. So you block all ports. How do you block them? Block them at the perimeter? Block them for each IP (ala each IP is a DMZ)?
...because all of this a moot point. Most viruses and worms aren't throwing themselves on the firewalls and commiting suicide. They are walking in the front door through http and smtp.
If you only block them at the perimeter, all it takes is some num-num to open trojanworm.exe in their email attachment, or web download, or nextwizbang service 2.0, and now all the machines behind the firewall are available to be hacked.
If you make each IP a DMZ, or some sort of route trickery, you slow down things on the router/firewall side, which is also a sucky solution. Yeah, yeah, specialized hardware and all that might make this less of an issue, but it doesn't matter....
Everyone needs to freaking relax, focus, and fix their shit. For a _long_ time server side exploits where a _huge_ issue. Now the exploits are focusing on the client machines, and it's only a matter of time before that is hardened too. Viruses, worms, and all sorts of other stuff are scary enough and get media attention that most people are worried about it.
Sure there will be people that don't care, but that generation will adapt/learn or will be dead soon enough (of old age or what have you).
Firewalls will only give a false sense of security, as it is not a COMPLETE security solution. In fact it really doesn't even offer an interesting definition of protection considering the threats presented.
No.
By default, for the average Joe user, have a decent firewall put up. But you should be able to log into your IP's site and disable the firewall if you want to manage your own, like I do.
As long as the freedom option is there, i'm sure most of us are fine.
Now ISPs can simply block a port on their big switch and forget about it. An opt-out service would require them to develop a system of individual profiles for customers. That means more headache and costs money for them to manage the system.
Simply make use of different subnets for filtered and non-filtered users. The ISP's DHCP server could easily determine at initial configuration time, which subnet your MAC address belongs on. If users want to choose varying levels of filtering, it should be up to them to implement. You would have a default choice of everything > 1024 is blocked, and all else is let through. Or you could opt-in to everything goes through.
So we're going to have firewalls at:
ISP
Router
Windows XP built in firewall
How many more do we need?
The best solution is to provied tiered services for residential customers. The default (and bottom) tier is to firewall the bad ports. Those people who want to run basic services (such as web and mail) should be able to sign up for the second tier. This would provide basic firewalling and leave open the ports for web and mail. The third tier would be an open pipe and the end-user claims all responsibility for the use of that pipe. Third tier users would be on their own network separate from tiers 1 and 2 in case their IP ranges get placed onto RTBLs or some such thing.
The common consumer just wants cheap internet access and will pay for the bottom tier and get the benefits of protection. Cocky /.ers would pay for the top tier (probably at a premium) to get what they want. Then they can shoot themselves in the foot.
The right solution is to get any bundled, extraneous services turned off on consumer boxes by default. I realize this may be unrealistic, but I think when it comes to internet architecture we need to approach things from an idealistic standpoint. Settling for short-term kludges like this one will result in a overly complex system with fundamental weaknesses.
That should have read everything < port 1024 would be blocked.
Take your "consumer" outlook and shove it up your ass. Your opinion is based ignorance, perhaps intentional, and a miserly subservience to service levels that have little or no basis in fact. The best solution would be to ban Windoze boxes from the net - they have troubled everyone and no one else should be punished for Microsoft's bad behavior.
The fact is that there are several good mail programs that are secure by default and inform the user of what they are doing. There is no reason everyone should not have Exim on every computer they use. It makes traffic more efficent, enables end to end encryption, and gives users control of their names and accounts. Debian sets things up nicely and anyone can do it. If ISPs could legaly keep their mouths shut and were honest enough to keep client information to themselves, people could have security and anonymity on the net and the net would be a place of free speech like no other. Email over a public network should be regarded as a press, and restrictions of it as violations of the first Amendment to the Constitution.
ISPs supplying service to businesses need to enforce the clauses in most service agreements that require the business to 'not engage in activity that will be detrimental to the network or the Internet as a whole'
Oh, I agree. ISPs can and should enforce clauses that prevent their users from harrasing their neighbors. Spam and push advertising is obnoxious and has no place on the net. Email is a normal and useful service, why should it ever be blocked?
What's that? It should be blocked because Windoze shit is easily broken and periodically floods the net with crap? Hmph!
Users need to be respectful of the fact that they are paying for a consumer level service.
They have to provide a service or someone else will. The boadband monopoly that exists in the US right now is outrageous and it is the only reason ISPs have the nerve to start blocking ports. They have yet to learn not to price themselves higher than the cost of replacing and eliminating them.
If you want business level service, realize this is a higher end cost for the ISP (yes, it is-- more bandwidth, possible peering issues due to ingress vs egress traffic, legal liabilities, etc.)
Once again, fuck you. What the hell is a business packet? In case you have not noticed yet, there is a bandwith glut in the US. Most fibers sit dark and will never be used with dummies like you clamping useless definitions down on my end of the net. Go away, I've already replaced M$ on my end and next I'm going to get around the broadband monopolies. Recently, AOL and other large ISPs leaned on my ISP, Cox, to block port 25 inbound and outbound except throught their SMTP. It's an outrageous DoS attack and I'm going to defeat it.
Friends don't help friends install M$ junk.
So, he's saying you should rely on someone else being responsible for YOUR security? like you as a node on the Internet can just opt out of taking responsibility for YOUR systems? I think not, sorry life is not like that, I dont want any ISP blocking my ports, I want to see my traffic and do my own security.
Some people ask some of the silliest questions. It's the ISP's duty to protect the network, and ensure a certain level of quality for it's customers. You would have known all this if you had read the terms of service before posting.
"So although you are doing the idiots a favor I guess, it shouldn't be at the expense of the non-idiots... "
The phrase that comes to mind is "A few bad apples spoil the barrel." Don't like it? Go yell at the few bad apples, not the person who threw away the barrel before the whole place started stinking.
I use Earthlink that only blocks port 25. I don't have a mailserver so i don't know if i can get it unblocked, but i consider that a good thing. I have a server running FreeBSD 4.4 which, unbeknownnst to me, has sendmail enabled by default*. I only found this out when /var filled up beacuse of the amount of spam mesages my server was trying to send. I am glad that port 25 was blocked or I would have been (and i guess still be) a spammer without knowing it.
But i do think that a FREE opt-out option is a must.
*Props for the BSD guys for fixing this in more recent versions.
At least as far as these worms are concerned, a temporary block should be put into effect by ISPs to stifle the proliferation of these damn things. However it's still ultimately up to the end-user to secure his own systems. However they should also at least attempt to keep tabs on users whose machines have already been comprimised and nag the hell out of them (phone calls, email, whatever) with advice on how to fix the problem, and if the problem doesn't go away in due time, cut them off altogether for abuse of the service. If that means users have to purchase their own firewalls, fine. If they don't want to go through the hassle of securing their systems, they don't belong on the Internet.
My words are backed with NUCLEAR WEAPONS!
Promote it as a feature to the common internet users. Many people would love to get additional service at no additional cost. People who want their ports will keep them.
ISP's should provide firewalls/proxies/and content-stoppers for users that want an ISP-run firewall and are willing to pay for it. ISP's should not provide firewalls to users that don't want ISP-run firewalls. But we all know the general direction of this discussion. Ever since the internet has left the confines of a few universities and government agencies, there have been "experts" who have advocated limiting its functionality. The basic reason for this is that they're afraid of the average Joe having freedom and power equal to their own. These "experts" range from gloom-and-doomers to elitist technology nazis to control-freak bureaucrats to media giants that are afraid of competition. We can only hope that they ultimately fail.
Why not make Operating Systems block all ports as default? This isnt a network issue its an application issue.
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
ISP's are blocking ports that aren't all that useful. What legit things can you do on TCP 135-139 anyway? If you REALLY need to move traffic on those ports you can use a VPN or SSH tunnel.
This is exactly what I would expect any competent ISP to do.
is that it costs real money to block ports. ISPs have big routers and the cpu cycles of those routers are expensive. Blocking ports takes additonal cpu cycles, so ISPs need to have a strong business reason to start blocking.
The real "Libtards" are the Libertarians!
Why not buy one?
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
My ISP has spam filters. If you log into their webmail client, you can turn on or off the various rulesets, or tune them at will.
Now if they didn't have this adjustment ability, I'd be moving elsewhere in a big hurry--but they give me the filters, default them to all on, and let me turn off what I want. I don't see why they can't do that with internet ports. Default to everything turned off, and then have a website that I could authenticate against, which would allow me to open ports. ACLs in FW1 should be able to accomplish this.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Sort of. ISPs are being driven to this by larger inept player, such as AOL and M$N who will eventually win if nothing changes. AOL and M$N recently forced my ISP, Cox, to block port 25 except to their own smtp server. The threatened to bounce mail and Cox backed down. Predatory is too nice a word for that threat. Smaller ISPs will die if they reduce their service down to AOL standards.
Change, however, is the only constant. Someone is going to figure a way around the current broadband monopolies. Baring global NBC warfare, the proven technologies of frequency hopping and packet radio will combine to give everyone unlimited and free bandwith. Microsoft, AOL, and all those comfortable with broadcast monopolies are history, regardless of how hard they fight. You can't stop technology. People will use what they know to get what they want.
The point is, there is a reason these ports exist in the first place -- they allow some flexibility and simplify communications. What they're really saying is "We don't like the way the internet is designed. So we're going to break it. Sucks to be you."
Yep, that about sums it up. Fuck them.
Friends don't help friends install M$ junk.
so they can do whatever they want.
C'mon, mod this down as a troll, just so you can prove my point.
I've got two #*$* boxes for cable modem -- the cable modem, and a 'broadband router' that provides a simple, but fairly effective firewall.
Given that basic 'broadband routers' cost under $80, why can't the ISPs get the cable/dsl modem manufacturers to add this functionality? Config could be initially set to be quite restrictive (e.g.: no unsolicited inbound traffic at all) and then user-accessible for the 'power users' who want to modify that.
"But actually trying to use m4 as a general-purpose langage would be deeply perverse" --ESR
Yeah, blocking everything, thats great. Awesome, guys.
We should stop selling kitchen blenders, too. Because people just cant handle them...Some people have even been known to spray shit all over their kitchen by forgetting to cover the hole.
I pay for access to 65,536 ports. If I wasnt responsible enough to handle it, I wouldnt buy it in the first place.
Bowie J. Poag
Those port blockages (except for maybe 25) are workarounds for ridiculous MSFT security bugs. The proposal is that ISP's install blocks to work around the bugs. Shouldn't MSFT clean up its own mess?
There would be fewer problems if the broadband companies would use either this or this., combined with this and a lot of problems will disappear, and control is put were it belongs.
This is utterly crazy.
(1) The paper advocates only the MS ports, not some vague list of other ports.
(2) MS reccomends firewalling those ports from the internet at large.
(3) For those admins who wish to open an entire Windows share across the internet to Arizona, use a damn tunnel you idiot.
(4) RTFA
(5) The point was brought up that this implies that the software that uses those ports is broken beyond repair. Duh!
crs
In what way is the parent a troll? He is right on the money IMO.
LRC, the best-read libertarian site on the web
I know one ISP in particular that shall remain nameless that has closed home user accounts for people using VPN (in some cases but not all). They consider this a business use and request that if these VPN ports are blocked that they will need to purchase the business account (more money) to get these ports opened up. In this case I would agree with the author and say that ISP = Web.
This will just cause application developers to use port 80 for everything. They already are for WebDAV and SOAP. And then virus writers will use port 80 for everything. IIS worms are great! Write your own! Closing ports doesn't solve the problem. It just ties the arms of application developers.
When I first subscribed to them, they gave me a CDrom with a localized webbrowser and email software to use with their service.
Maybe they could just throw in ZoneAlarm as an automatic part of the setup?
If there's a well written dialog box that explains to the masses how this will be beneficial for them, then I m sure most of them would just click through to the install.
If my ISP wants to filter things such that I cannot run a server from my house, that is okay. I can live with that, since I'm buying residential service and not business access. Uploading is throttled down to 64kbs anyway (I'm on a cable modem), so it would make a shitty server point anyway.
But the first time my ISP limits what I can receive without giving me the option of turning it off will be the last time I use my ISP. Its not their place to determine what is "good" and what is "bad" for me, nor is it their duty to protect me from my own stupidity. Babies who need their hands held and cannot think for themselves can use AOL.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
I had a rather disconcerting experience a few years ago, being the target of a DDOS attack...
Our provider, a large Telecom company in Western Canada, could tell our 100 mb/s link was being attacked, but were *unable* to filter the traffic because their routers were already near their maximum capacity just passing the normal load.
As soon as they tried adding ACLs to their kit, it crashed. Their stance was that it was better that we get DDOSed and their other customers only had degraded service, rather than everyone being off-line.
Frankly, a little scary. But this isn't uncommon -- it's quite common for the demand growth to be so great that the systems just barely are able to manage it. A similar problem was the cause of the power outtages in the Eastern seaboard.
The problem isn't the guns - it's the bullets that are fired from the guns.
How is your post insightful? More like (Score:-1, Obvious)
Here's the problem... As soon as blocking of a port is widespread (eg. 22) then the services that normally use that port will (guess what?) USE ANOTHER PORT.
The only way to really stop the propogation of network-based bugs to vulnerable hosts is to block ALL in-comming connections. Frankly, I think maybe that should be the default for ISPs (ie. incomming connections are blocked until you call the ISP and make the request) but that wouldn't work perfectly by any means. Some programs would obviously break, and some people would be very unhappy about the whole experience.
Besides, it would be nearly as effective if ISPs would just start doing egress filtering to prevent the constant IP address spoofing. Then worms and other nasty things could be traced back to their source easily, and put and end to, quickly.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Why not have a government sponsored/regulated Internet Manual.
The Manual would include an explanation of how the internet works, how the user's computer interacts with the internet itself, information on viruses, worms, and maybe a brief introductions to ftp, usenet, irc, file-sharing and the WWW.
People would receive the pamphlet when they opened an account with an ISP or bought networking hardware. Cost could be an issue for the adoption of an internet manual, I believe that as net users we would see the benefits in improved service and potentially lower costs. ISPs will be able to save bandwidth and hopefully pass along some of that to the consumers.
There are a lot of people out there willing to learn more, and would be willing to do more -- they just need a starting point.
But the fact that my ISP - Rogers - is letting thousands of SoBig.F viral letters through to me alone is ridiculous.
WHY can't they filter for that???
It's Christmas everyday with BitTorrent.
If this is done, then the OS and app vendors will start offering versions that tunnel over the still-open ports. Or are we looking at a situation in which typical end-user machines won't be able to listen at any ports at all?
When all you have is a hammer, everything looks like a skull.
And yet the most common complaint I hear from people is how they paid for lots of bandwidth but they're always the victim of lag and dropped packets. Blocking ports 135-139 would eliminate a substantial amount of the background "noise" that's taking a bite out of your bandwidth.
If someone *needs* to share 135-139 over a public network then they should be using a VPN anyway.
Firstly, just gotta say that if ISP's block say port 135, the virii are going to move to port 137, then if you block that, to port XXXXX, so port block really wont solve the problem.
But anyway, here's the idea:
if (subscriber ip) = (dynamicaly allocated) then
blockports
else
dontblockports
end if
Why don't they just bundle, or optionally bundle, a NAT router like the SMC Barricade series, with their modem. They could make some money off it because they could use the buzz word firewall and tout its security. Then this would give the ability to anyone that knew what they were doing to open up the ports of their choice, but the clueless would never even find the option to do so. Perhaps this could even be a built in feature of the modem itself.
I'm a firm believer in the philosophy of a ruling class. Especially since I rule. -Randal, Clerks
Varient on this:
"I have a couple DUIs but, I'll continue to drink and drive."
"I'll continue to have sex without wearing a condom"
"I'll never wear a seatbelt, or a helmet"
"I don't like [insert ethnic group here]. I think I'll go shooting
[Exxon Valdez]
"*Hick* Let me know when we hit something. I'll be in my bunk. I don't feel well."
A LOT of strife in the world can be traced back to the attitude "If I want to, I will", instead of questioning the wisdom of our choices to begin with.
Then thought is turned into action, and people either engage in "Why me?" or "It's all their fault."
The net should be open but services should not be turned on by default. Users should be able to securely use any service that they require for the purpose that they determine they need. The net is a tool and how a person uses that tool depends upon the task they have to perform. One size doesn't fit all. As more people get broadband and permanent connections to the network, they should also consider security however, many people are not computer literate (i.e., don't read /.) and wrongly assume that when they get their cable modem or whatever, that it too is as secure as their Windows box that's never been upgraded.
A whole lot of home PC users should read this file before they connect to the net full time -- all the time. Advanced users that we see here shouldn't need this information and many will disagree with the tools I've selected but these are easy to install, available for almost all Windows versions and help the beginning user.
If Microsoft would just turn off everything and let the other guy turn it on when required, things would be a lot safer.
Banjo - The more I know about Windoze, the more I love *nix
1.ISPs should only block ports used by known malware and no others (ISPs should never ever do things with SMTP, FTP, HTTP etc, well except mabie SMTP for Anti-SPAM purposes)
and 2.ISPs should unblock ports for anyone that needs them unblocked (and it shouldnt cost anything)
That way, we get less "cluless user ran a trojan horse or got infeceted with a virus and is now flooding the net with crap" but it doesnt block ports used for legitimate applications (now and into the future) nor does it prevent power users from getting what they want.
If ISPs block all or most ports, it'll make basic firewalls useless. We'll need content based scanning firewalls to analyse all traffic requests on port 80 (or whatever). In the long run, it'll just slow down traffic, make it harder to block for sysadmins.
Is that the "advanced user account" would probably end up costing MORE, not less. I think that you'd mostly find 3 situations:
1) ISP blocks ports/services/etc and won't unblock them. Claim it is for securtiy, etc and just won't do it any other way. We had this problem with Cox. They disallowed any VPNs on their normal cable accounts. Our university uses VPNs extensively. It came down to us explaning to them that we would recommend people go with a different provider if they didn't change the rules. Of course as a large university we have leverage individuals do not.
2) ISPs would allow you to unblock ports, would would charge a fee for it. This is much like how you have to pay to NOT have long distance service. You would end up probably paying a monthly charge just to get to use everything.
3) ISPs would use this to attempt to force bussiness class service. You could get an unrestricted connection, but only if you were willing to drop the bigger fees for a bussiness class connection.
I would have no problem with an ISP firewall, if they'd be nice about it. If I could log on to their website and enable/disable its features at will I'd think it was great. It could be on by default for all I care, so long as they told me. However it does need to be something I can disable easily, and I should have to pay extra or anyhting like that for.
Since most people think AOL is the web...... If an ISP starts to filter content, ports, etc then they are responsible if anything happens. It is the end user's responsibility not an ISP.
The ISP is to the user what the backbone provider is to the ISP. The ISP should no more be filtering ports than the backbone provider should be filtering ports. If users not knowing what they're doing is becoming too much of a problem, or is putting other users at too much risk, then the ISP should be doing what we require for cars: users must prove a certain level of knowedge and ability to safely operate a computer/car before they're allowed on the Internet/road.
Unfortunately, this isn't an ideal world. Until people stop whining that, effectively, "Why do I have to know how to drive? I just want to go places in my car!", we may have to live with this.
All, and I do mean all, of my e-mail is on servers not located on my ISP. I have two at a local university (one student, one staff acocunt), one personal on a server I lease space on and one on a server I control in a different data centre. I regularly send e-mail using these servers. Well guess what port I ahve to send it using? Yes, that's right, port 25. I authenticate and use their SMTP servers to send my mail. IF my ISP ever blocked that I would call and if the block wasn't removed I'd cancel my service on the spot and dial up until I could get new service that didn't do that from someone else.
If they really wanna make people less vulnerable to attack, they should start filtering all traffic that DOES look like MSIE..
Look: we can't start clamping down ports -- especially on an Internet-wide basis -- merely because the predominant home-based OS is flakey. Who knows what other ports MS will suddenly start having dain-bramage on next week? No: the answer here, and the only real answer, is for MS to actually start
a) taking security seriously,
b) _FUCKING DISABLING SERVICES_ by default,
c) implementing honest-to-goodness stateful firewalls -- with the default for ALL in-bound service requests being "if it isn't local, reject".
I really don't care about making the Internet safe for everyone. Next thing you know we'll be suing gun companies over homicides, I mean ISPs over cyber attacks.
Isn't the real issue here the fact that Windows has so many security flaws? Maybe Windows just isn't ready for the Internet. I run Solaris, Linux, and MacOS X, with the protection of a Solaris/IPFilter firewall at home and do you think I care about worms and viruses? Nope.
The only thing I could possibly suggest that the ISPs do is communicate a standard warning: "The surgeon general has determined that Windows can be hazordous to your computer while connected to the Internet." and leave it at that.
-- Thou hast strayed far from the path of the Avatar.
Since using port translation, you can get around it.
For example, if you require port 135, you can use a router to re-route traffic for port 135 to another port, and on the other end, re-route it back to port 135.
This would prevent anyone without a router from being at risk of simple viruses.
No funny comments so far?
That's one of the dumbest fucking ideas I've heard this year.
What if it were offered as a class of service? Many ISP's offer different packages (5 Personalized E-Mail Addresses! Wow!) why not just make this another "Value Added"?
I'd mod you up if I hadn't posted the parent comment :P.
Game... blouses.
You forgot one in there:
1a. Lewp pulls out his tinfoil hat and places it on his head.
Another option would be to have the computer only activate windows file sharing if you tell it to and the ports that WFS uses + all the other MS stuff shouldnt even respond (ie like its firewalled) the XP default firewall may do this but it seems more and more it ships from the factory defaulted to off.
if you want to activate it Have a giant popup screen come up and say by activating Windows File Sharing you are suspectiable to viruses and other bad things are you sure you want to continue. The person that was just playing around will be shocked and not click on Yes.
But Firewalling the port off at the isp level should be the last resort. People really should have to pass a test to take a computer home like basic internet security 101. This is just some alternatives to firewalling I feel might help
I always knew it was one of those sand niggers all along. Thanks for the heads up!
While firewalls and virus scanners are important they are services that require ongoing maintenence. The problem with current approach is that their is no incentive for ISP's to do a good job. They can either block everything (including the tech suppport phone line;) and cut bandwidth usage or do nothing and decrease support costs, but doing a good job just costs more money. If you combine payed security support with the requirement that if users manage their own security, that they "must manage" their own security (i.e. worm infected computers will be taken off line) most of the current problems could be solved.
the cable/dsl modems themselves should have built in firewalls. setup secure by default. if the user wants to reconfigure or disable it, they should be allowed to do so.
#!/
i'm of the opinion that nothing should be filtered or blocked. The isp i think should help INFORM the users how to protect their PC's at THE USERS END. perhaps even provide links, perhaps suggested 'easy generic fixes', or provide tech support (for a fee) to help protect their machines. Sure, they block something *most* people do not need to use today when an exploit hits and its all peachy everyone screams (YAY!), what will you do when they block ssh, or your precious yahoo IM, when an exploit is discovered for those, but you have it patched? Do you think once they block it, it'll ever be opened back up? I think not. My isps's recently blocked icmp8 (ping!) due the recent worm. how long before i'll get my ability to ping back? i dunno. I would leave their sorry asses JUST FOR THAT if there were competition. however my town has one high speed isp. (local cable monopolies rule!) Now, getting side trcked some a subect thats very similar. i will say this: i LOATHE isp's who ban "servers". If its a residental person using a webserver for a personal use, or whatnot. there should be no problem. If its for a commercial use, make em pay more. And if their worried about a residental user whoring bandwith, use some adaptive throtteling based on local IP addressed! too many places use a FIFO queue (first in first out) setup, and THAT is what'll make a bandwith whoor suck to have on the network... my isp technically disallows any 'servers' in their contract (sshd included! they actually told me to take sshd down, cause its a sever!.. i log in remotely once maybe every 4 months? wow!) So. it basically means they can tell you to stop using any service they dont want you to. I'd like see the backlash they'd get if they tried telling all the Yahoo IM, icq, and MSN users to shut off their "server" for anyone wanting to know more info on my quality isp, visit them at: www.the-bridge.net & www.rangebroadband.com
Troll, Troll, go away and flame again some other day
A stateful packet filter within the OS is a GREAT start! It AMAZES me the Windows XP out of the box setup doesn't include a STATEFUL packet filter, but rather one that breaks items like passive FTP, etc.
" 1. ISPs start blocking ports
2. All software uses port 80
3. ISPs start using more complex and intrusive filtering that blocks everything that doesn't look like MSIE
4. The internet is officially shit
I can't fucking wait."
Apparently not. You left out 2-1/2 Can we afford to do all this?
Yeah! I know, they have unlimited funds, unlimited talent, and they don't have shareholders to answer to.
But apparently It's more fun to overstate one's enemies (The US/USSR missile gap. Communist are everywere.) to further an agenda.
My ISP (Australia Wide, NOT owned by a Telco), has recently implemented port blocking into all their accounts.
Along with this 'feature' they also enable us to enable or disable port blocking, at our convenience, in about 4 clicks and a login. If you ask me, any ISP worth buying service from, who is considering making port blocking mainstream, because it IS important, and it is something that is going to stop the vast majority of users from getting viruses/hacks that commonly exploit invulnerabilities in the more widely used OS's, will implement a similar service.
I am charged nothing, for leaving my ports open, and I run firewall software on my PCs with custom rules relating to ports because of web/ftp/ssh servers etc. It was quick and easy to toggle between blocked and unblocked, and anyone on this service can do it.
I honestly don't see why this is such a hard thing to adopt, and I would like to thank my ISP for being as reliable and friendly as they are, I know I am lucky in this situation.
I think ISPs SHOULD be the Little Man's firewall. The inexperienced user needs protection and 90% of the time will not have a clue how much work the ISP has done for them, but perhaps might comment to their friends that "No, I didn't get the Blaster Virus" when everyone else did.
"Give inch they will steal a mile."
That's why I voted against the local railroad expansion.
Something like this would be wonderful for the average person. For the 10% of the population (read us) that this would hinder the benefits would greatly overweight anything else.
This does bring up a totally different idea I had while thinking of how things like this and similar average user features(for instance forcing people to use dialers, browsers, etc..) slow down the power users. It would be nice if major ISP's would start offering levels of service for users. This technically wouldn't require more charges for either group (although surely the ISP's would jack up the prices for specialization). The costs of blocking and filtering would balance with the cost of having to set up special settings for a different group. Both would cost more, but together they wouldn't have to have different prices.
Of course this will never happen, but it's one of those ideas that somebody should think about. And all of this would probably be most useful for broadband connections.
BTW, are their major ISP's that do this type of thing?
and it purely sucked. i couldnt use normal service ports (21, 22, 80, 126...). i had to use shitty ports for everything and it really sucked. this was the korean ISP thrunet by the way. i hated them the most out of all the ISPs i ever used. their service was always cutting me off too. DO NOT THINK PORT BLOCKING IS A GOOD THING. it chops your feet off if you actually know what you are doing.
... of broadband firewall routers being sold that will not work with the default password. That such routers will not have ANY incoming ports open by default, and ALL unnecessary outgoing ports (not needed for http, https, ftp, telnet, pop/imap, sendmail, ssh, IM, irc, kazaa, etc),are all CLOSED by default. The user will always have the option to open any normally closed port. BUT, since most users leave their routers as-is, and don't care, as long as they can surf the web, send and get mail, etc, such routers will shut out the hackers and limit their exploits on an unimaginable scale. And, a lot of trojans could be cut off just by limiting the lesser-known port numbers outgoing. ISP's won't have to load down their routers with endless lists of changing exceptions to no-route rules... Boy, I dream big.
Dogs look up to men; cats look down on men; But Pigs! Pigs can look men square in the eye. -Churchill
trying to secure Operating systems and applications via the network. what the heck kind of security system is this?
the open MS ports and send the bills to Bill...
That's the most absurd flaimbait I've ever seen.
Block 80 if you must (that's just corporate drivel), but please keep leting mail through.
No this isn't a personal attack, I rather wanted to get your attention and now that I have it let me state that instead of having an ISP go to all the trouble off putting up a web interface to your personal server side firewall and track your personal preferences across the changing IPs that are dynamically assigned, why don't YOU just put up YOUR OWN firewall and be done with it. Why do you, and your not alone, expect the world to baby sit you or anybody else?
If your ISP wants to provide such a service and you are willing to pay extra for it, not unlike your ISP offering to block spam from your mailbox for an extra fee, then that's all well and dandy, but don't expect everybody to put up with all the crap necessary to make your world child proof.
All I ask or expect of my ISP is to provide me with reliable access to the internet with however much bandwidth I'm buying. Period. I don't want my mail censored or my ports blocked or my access restricted in any way, shape or form. That I am willing to pay for and the rest I can do for myself INCLUDING assuming the responsibility of my own existence.
The part of your (Score 5, Insightful?) post that gets in my shorts is that you think its better for the ISP to shoulder this burden gratis or otherwise redistribute the cost among the multitudes, than it is for you to simply setup ZoneAlarm or its equivalent since this is a feature you want. To advocate this represents the thinking of the ignorant, the irresponsible and the lazy.
It is high time some of you snot nosed thumbsuckers start taking responsibility for yourselves and stop asking everybody else to do it for you. If it is to rough out here in this sandbox then disconnect and go back inside with your mommy. Judging by some of the posts here, a few of you won't be happy until you can get back inside your mommy. Well fine, but there is no need to suggest all ISPs transform into your idealized, solipsistic surrogate mother when AOL and MSN are available.
blocking ports is just gonna change the way that attacks occur. i just read the other day about people running ssh on port 80 to get through security loops, and how it was the best way to lose a job. i work for an isp and actually had a customer call after she got the blaster worm, and she started bitching at me that "YOU PEOPLE should have some way to protect me!" catch is, if we did block 135, the worm coder would have just had to work a tiny bit harder to get in through 80 or 21 or somethign else. although most of the calls i get are clueless individuals, many of the users we have (we still offer things like static dial up) are tech savvy, and would absolutely kill us for doing something like that.
ISPs give you unlimited bandwidth for a fixed price (at least in the US, in most cases), so they often act to keep that within reason. This is why you're generally not allowed to operate a server on a consumer broadband line: you're chewing up too much bandwidth if your site is at all popular. This is also the argument the RIAA uses to encourage ISPs to report or at least disallow P2P filesharing.
Viruses and trojan horses that send out email all over the 'Net and/or DDoS systems are another useless waste of bandwidth, and should be discouraged as much as possible. "Open Internet" is fine, but there's no good reason for ISPs to let users use certain ports if there's no consumer-oriented purpose for doing so.
Exactly.
So, MSBlast came in on ports 135, 137, 139. The next big vulnerability will come in on some other well known port, and the ISP's response will be to block it because 'You don't need it.' Before too long, we'll be left with ports 80, 110, and 5508 (or whatever it is that AIM uses).
Dumbing down the internet because Ma and Pa Kettle 'shouldn't have to' understand it is not the answer. What I think would go MILES toward solving the problem is simply educating these same users not on how to /use/ their computers, but simply pointing out which vendors provide the various different components on their machine. A clear understanding of a fact that we geeks take absolutely for granted is 100% missing from end users. End Users do not realize the difference between the hardware manufacturer, the OS vendor, and their ISP. It's all just 'the computer' to them. Even 'dumb' end users can understand this with a little time. These same people manage to pay an electric bill, a mortgage, and various different credit card companies without getting them mixed up.
Frequently, I hear the frustration about how consumers will not vote with their wallet. As soon as we can demonstrate the role of the ISP vs. that of the OS vendor, everyone will be much better off. People don't vote with their wallets, quite simply, because they have no idea who is on the ballot.
But more to the original point, systematically blocking out every port - even allowing for an 'opt-out' feature brings us perilously close to the Internet of the Future that we all fear - a completely passive, proprietary communications medium. Remember when the radio was supposed to knit the global community closer together, by enabling anyone to communicate over the airwaves? Take a look at Clearchannel's market share, and behold the future of the internet if we support policies like this, even in the name of 'security.'
This is my sig. There are many like it, but this one is mine...
There are diffrent ways to do a firewall.
Some people block off all ports but those for the features they want to have.
Some people cut off only ports where the user must first make contact (and all UDP packets and peer networks).
If your ISP sets up a firewall they are also desiding what protocals your going to use.
Just becouse some Windows systes have a back door on a given port dose not make it a good idea to block that port for everyone.
That port could also be used by the latest greatest net client. A new data network. A better web. Or a new game.
I'd just be like Microsoft to have a back door on exactly the same port as a new automated update protocal for annother operating system.
I don't actually exist.
I really can't believe how overcomplicated people are trying to make this, there's a simple solution that looks something like this:
:D
1) Customer dials in to ISP and is port-scanned
--vulnerability found? Go to solution 4.
2) Customer sends mail through ISP's smtp server - a simple scan for virus infection is performed.
--infected? Go to 4.
3) Customer has been connected for multiple of 24 hours and is portscanned
--vulnerability found? Go to 4.
4) All web and mail traffic from/to the customers machine from the ISP is suspended except http/ftp access to designated update and web-virus scanner sites, whenever they try to hit a website they are shown "Your system is infected with blahblahblah, the patch is here and this is the only piece of the internet you're going to see until you install it - once you have you'll be scanned again and the block will be automatically lifted"
Badda-bing, no need to block any ports unless the user is infected, user *knows* when he's infected and user also is led by the hand to the patch. ISP's update their vulnerability-list (a la Norton liveupdate) every day/week, and they slap their own logo/theme on the pages it generates. No more CodeRed/Sircam/SoBig/Nimda/Blaster/*whatever* problems, ever again.
Speaking as a programmer, this is fucking *trivial*, so why all the discussion of blocking people's ports across the board? Seriously, have I overlooked something really dumb in the above, because that to me seems like the ideal/only solution.
The only people who can fix these problems *for good* are the ISPs, and it's painfully easy (see above) for them to do it *without* blocking all the ports I use for dumb games
Most [l]users don't have a sense of security in the first place. Most of them wouldn't even understand if you tried to explain to them about the ISP blocking ports. People like that need a nanny ISP, and be happy paying through the nose for it. This is why MSFT are finally getting off their arses and beginning to install a basic firewall on remote access connections - to protect the ignorant and complacent.
Most of the general public on dial-up don't run firewall (or antivirus) software - it's too hard or costs too much (a false economy!) With this mentality and the proliferation of insecure OSs, I'd love the ISPs to act as firewall for the inept masses, as long as they permit those of us who know what we're doing to configure it to our needs. When you sign up for an ISP, everything should be defaulted to protect 'the system' from the naive user, those with brains can then reconfigure it.
Sure, it'd be a bit inconvenient at the start but it would centralise the effect of battling these sort of security issues to those who know what's required and would ensure it got done.
Go permanent? In your dreams and my worst nightmares.
My ISP here in Australia (IINET) iinet.com.au
By defualt it blocks a number of ports (including 21, 80 and some others... You can then opt to turn them off if you wish to (through a web based toolbox).
They also offer SPAM tagging too (This is off by default, and can be turned on through the web based toolbox!
Now *THAT* is a progressive ISP.
They protect the n00bs, but allow people like me to still unblock ports that I want to.
lounge around on the blue couch
No
I don't trust anyone but myself to filter what I want. Suppose a certain corporation that shall not be named were to lean on ISPs to block common p2p ports?
Suppose I were working at home as a security consultant and needed acess to all ports, including those used by virii?
The internet was originally designed with all the intellegence at the ends, and not at the center. This was done to prevent anything like this kind of behavior, where the people with the routers can control what you can access. If it were not for this forethought on behalf of the Internet founders, your ISP would control what you can access.
And that's what this could easily evolve into. You know the routine. You start with a little. Then they push it a little farther. And a little farther. And a little farther. Then the "internet" is nothing but a glorified TV station, feeding you the same junk in an interactive manner.
Obligatory BTTF quote: "Admittedly, that is a worst case scenario..."
Blocking ports stops vaild use of those ports at a later date.
Microsoft Caused this problem by not fixing system security problems. Note 5 years with out fixing is just being a cheap.
Sue them is the only way to make sure that no other company would dare not patch a Security Problem.
Or all isp install a worm that force installs a firewall on all at a risk users. A simple probe break an patch. And add to the isp aggreement a allow ment to forceable update on a unprotect systems.
This is ten times more effective or we risk have no ports to do anything with.
Mind you micrsoft has the means to pay damages for there Neglect.
Note baning direct liking of windows does not stop linux firewall boxs servering down to the windows users.
When you write internet software now, you have to supply port 80 tunnelling so that people behind firewalls can use them. If you close all ports except 80, it does nothing except add a trivial layer of complexity to writing networking code, whether the code is malicious or not.
This is like arguing that instead of locking all doors and windows, all we should brick them all up except for the front door, but leave that one open because we're too lazy/foolish to operate the lock (or, we can't figure out how to make a lock that's easy enough to use).
Bits don't care what port they travel over, and software/viruses can be configured to send/receive them over any open port. What we need are simple locks.
There is an easy solution to this. As we all know, port 80 will never be blocked, because otherwise how would we get our pr0n? The Web is the Net.
So, just tunnel everything through port 80. There is an existing protocol for this defined in RFC 3093 called FEP (Firewall enhancement protocol). Problem solved.
Lots of technical and environmental problems are solved by the application of vast amounts of nuclear power
Don't rush - this is hardly a shattering idea. And Johannes Ullrich, PhD is hardly finished with the article anyway. PhD? Learn to spell frikkin English!
No, we don't have to worry about this pathetic moron.
If the approach is "opt-in", any new Internet service in the future is going to be DOA because Joe Clueless is going to download the new apps, find out "they don't work", and isn't going to contact his ISP where the problem is.
The other problem is that any ISP big enough to have a clueless "first line" help desk isn't going to be able to handle "please turn this port on" inquiries from Joe Clueless and will be even less able to handle them from anyone with a clue.
Do we have all the Internet services we're ever going to want?
Sacrificing future technological possibilities just to keep the current Net running properly isn't exactly the sort of thing we want if we want to do interesting and maybe profitable high-tech things.
Port 135 and the most commonly abused other ports there's a case for blocking by default.
Tech Public Policy stuff
Multiple ports are not the problem - if nothing is using those ports, there would be no traffic on them.
Blocking ports will only cripple legitimate users of those services while the malicious attackers will find other vectors for attack.
You can keep blocking ports until everything is tunnelled over port 80 and content only flows 'one way', but we already have that - its called TV/Radio broadcasting.
If anything, ISPs should filter the users logging onto their systems - e.g. if the system logging on fails security tests, or exhibits virus-carrying behaviour, then outbound access is curtailed or disabled entirely.
Crippling the internet because Microsoft can't get their shit together is the dumbest thing i've heard this week.
I gots ta ding a ding dang my dang a long ling long
I'm currently at a Holiday INN. Well they're high speed net access. Faster than a T1 is nice but they block port 25. It's a inconvience since I cant send email through my yahoo smtp account nor my email account on another server. Though I'll have to call our hosting service to map port 2525 to 25 to get around this issue it's still an annoyance.
If the ISP blocks 25 then the spammer will have a buddy setup a box outside the network to accept on some random high port like 37337 and just go to town just like usual. All it serves to do is get in the way of legitimate users in a punish the many for the crimes of a few method.
If one is on a dialup, it's really handy to be able to go upstream of one's mail client in order to block the multimeg file attachment some spammer or clueless friend thinks I need.
A shell account saved my ass when Sobig.F hit.
Some moron from dsl.net with an infected box hit mine with viral spams by the thousands on top of the rest of the Sobig viral spam I got. Being able to configure my .procmairc file at my provider made it possible for me to shitcan everything with a .scr or .pif before I downloaded it via mail client. Without the shell, my account would have been useless to me for weeks and having my ISP clean it out would probably have cost them hours, i.e. hundreds of bucks worth of sysadmin time. With it, I pretty much took care of myself.
One should not have to run one's own mail server in order to do this. A shell is a good thing even for an ISP in the hands of those who can use it properly.
This doesn't mean that users necessarily need to get one by default, though. Personally, I don't ever intend to get an internet account that doesn' t have one.
Tech Public Policy stuff
It is not my responsibility to pay for the fuck ups of MS and those that purchase their products. Adding cruft like this makes the ISP more expensive.
Those scumbags in Redmond are responsible for this mess... damned if I want my service compromised and made more expensive to cover their ass...
How bout the courts force them to pay for each of us that bought MS products to recieve a hardware firewall? That would be fair, and it would solve the problem.
-1 Uncomfortable Truth
Wouldn't this prevent people from running remote services, (e.g. XP Remote desktop, VNC...) I'm sure there's ways to circumvent a ISP based firewall, but it seems the little man would be blocked out of this technology. It just seems to me it's another justification for limitations. If it's raised because of viruses like blaster, then isn't this a permanent solution to a temporary problem?
I'm the manager of a small LAN, and i automatically block all incomming and outgoing traffic from spyware sites. even users on the network who are infected with gator don't even have a clue i'm doing this... ignorance is bliss...
I am an ADSL customer of iiNet in Australia. They filter most of the dangerous ports by default and recently set up a page on their website so that you can opt out of the filtering if you think that you are well enough defended ;-)
http://http-tunnel.com/HT_Products_HTTPTunnelClien t.asp
The Mothership
This should be implemented iff it can be overrided should the user request it (even if doing so means the user must agree to administer their machine properly). Using firewalling as a tool to differentiate between 'business' and 'residential' accounts is IMHO acceptable (but that said I'll consider it cheeky and will most likely use an ISP who does not make this differentiation, as I would one who charges a lot more for a service with a static IP number).
Well at least not all the way...
Ports below 1024 SHOULD be blocked permanently from inbound traffic, no matter who you are - excluding business. Ports above 1024 cannot be blocked other wise no one would be able to get anywhere except to there own "subnet". When a client (pop3/http/smtp/ftp/etc..) connects to a server, it chooses a port at random above 1024 (obviously one that is not already used) and then connects to the servers port of say 80 for http, everything below 1024 is reserved for system level services (printing,http,ftp,ssh,telnet,smtp,pop3,etc..).
Also, you need to realize that having someone constantly changing the "firewall" to let individuals opting in and out of certain ports - leads to mistakes that will shut down the entire network - which no one wants... If you need an ssh server running on your home unix box for you to get into from work - and the ISP is doing a respectable job of blocking everything below 1024 - change the damn thing to listen on 2222, simple!
I've pissed someone off somewhere...
A lot of software has started to use port 80. I went through a bit of trouble to get my gateway to detect Kazaa vs. web on port 80 so it could prioritize traffic appropriately. I can't see implementing this for a whole ISP quite yet, snort takes way too much cpu.
Chello, one of the main cable provider in Vienna/Austria is exactly doing this: blocking port 135 (or whatever is needed to stop windows from accessing other clients resources).
maybe the isp's should tell any user that signs up to go to zonealarm.com
http://www.vanillaafro.com - take me seriously and I will shoot you
More filtering will just result in more tunneling over HTTP and port 80/TCP.
Look at SOAP. Most rationales explicitly mention that CORBA and DCOM do not work across the Internet because of firewalls. That's why SOAP has to work over a HTTP tunnel.
If this happens, we'll just see every application that could sit behind these incorporate support for using port 80 instead. We've already seen it with p2p apps, and if ISPs start massively blocking ports, games and other apps will follow. And port 80 can't be temporarily blocked during a virus outbreak.
Oh come on, lets not be so alarmist. Comcast/AT&T has been blocking MS file sharing and printer sharing for quite some time. And we all know what these worms target - MS products and the consensus here and elsewhere is that these products are very insecure.
What would be so wrong about blocking 135-139 on the WAN connection? These ports are made for LANs and networking not for internet connections. Really now, how many people print through their WAN connection? Not many. Want to share files - use ftp, http, IM, P2P, etc.
If the ISP was to limit itself to blocking only 135-139 and only to residential customers it would stop a lot of abuse and we would all be better for it. Its either this or Tom Ridge and his buddies are going to freak out after the next big worm (especially if its written in the middle east) and force DRM firewalls and OS patching down our throats with the blessings of MS. Err, no thanks. The vector is MS's products, attack them.
Telecom New Zealand currently offers its business customers a service that allows the customer to configure their own VFW (Virtual FireWall). Changes made to the config of the customers VFW via a https web server are immediately sent to the firewall (inside the Telecom network). While the customer does not have the ability to change the outgoing NAT address of the VFW most other options one would expect from a firewall sitting in the office are available such as; selecting Src/Dst IP, Protocol, Src/Dst ports etc. Incoming services such as customer managed web servers etc. can be set up by the customer though this does require you to pay for an "extra" Public IP address. The firewall follows state and is designed to support large numbers of unique customer networks with overlapping private address space. All in all its a very sexy thing. Sadly there isn't much technical detail on how the system works but the sales blurb makes for interesting reading. http://www.telecom.co.nz/securebusinessinternet/
You know how this would work. Those port numbers often used on Windows would be allowed. Anything not on that whitelist would be cut off. So suddenly everyone using Linux under the ISP who wants their services to work correctly gets labelled as an uncouth 'hacker' (in the media meaning of the word, not the original meaning) for wanting to punch through the firewall.
And then the morons who make the majority of public opinion see the extra hoops Linux users would have to jump through to get their systems to work and think, Oh, my Windows box just works, so I guess it's better. (For example, if Windows sharing port numbers are allowed but NFS port numbers are not, then the general effect is that Windows filesharing works and Unix's does not. No amount of explaining will sway the public opinion on this. It's not based on reasoned thinking.)
And although I couched this in terms of Windows Vs Linux, the more general case is the real problem - it makes the decision of which technologies will live and which will die be entirely in the hands of the ISPs. It's the equivilent of your phone company saying "You can discuss your pets, your wife, and your kids over our phone lines, but you aren't allowed to talk about radios, televisions, or cable modems over our phone lines. And we'll be listening in and if you try to raise one of those subjects we'll cut your call off."
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
if any security risks are discovered, take that user offline and deny them access until the *USER* corrects the problems. Probe *ALL* ports, *ALL* of them, not just below 1024.
Hardcore probes, not just some lame-ass Wal*Mart grade probe..
There are some exceptions, though - if you're getting a high-volume flood of some sort (DDOS attacks, Slammer worms, ping floods, etc.), it's nice to be able to turn it off at the ISP's end of the wire, because that prevents your bandwidth from getting stepped on by the attackers, while otherwise you might be unable to get any effective work done because 99% of your bandwidth is the attack.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
configurable opt-out
most ISPs I'ved used (Ihug.com.au at the moment) have a user section of their site where you can config stuff like email accounts, pay bills, check usage etc. Just add a page with tick boxes for the ports being blocked with nice little discriptions of the sorts of programs which commonly use these ports. You have a bunch of default ports being blocked. The unblock lasts for 2 weeks (I made a number up) then it resets for people who are lazy, forgetful or indifferent. Send an email reminder. Only list common ports or those known to be a problem, with the ability to add your own specified ports to your list.
You could probably also provide a page where you can control personal email filters as well. Add in some domain blocking for concerned parents.
Customers would know about this because I would shove it down their throats as a major selling point - having control of your own internet connection.
Any other ideas?
I've experiments to run, there is research to be done on the people who are still alive.
I know this is directly counter to what has been previous posted, but I'm sticking by it. I work for a small isp. All our dialups are already filtered. It's outlined in our TOS.
None of our dialup cusomers where hit with blaster. We filter these ports on our dialup for the same reason we filter all incoming email for virii. It's a sensable service, and a good default. Some of our customers request that certain ports be unfiltered, and with few exceptions, we are more than happy to (one exception being outgoing 25, it's our smtp or nothing. We don't abide spammers).
Remember, tech savvy customers will know to request changes, and the unsavvy ones will be best served by being protected. People are sick and tired of people in the know doing nothing to protect them, sick of the virii and the worms, and the spam, the popups and the hassle and the crap. The more of the that you can keep from effecting them, the happier customers you have.
In my case, yes, I'm enough of a power user that I want to be able to do absolutely anything from my home line. (Of course my hardware's been sufficiently unreliable that I haven't gotten around to it :-) I'm running the NAT firewall box for several reasons. One is that it's a no-brainer way to get some basic level of protection. Another is that I've got 4 static IP addresses, but my DSL box doesn't seem to have a DHCP server, and I don't want to have to keep my noisy desktop machine running full-time just to make it easy to plug in my laptop (plus it dual-boots Windows and Linux, and I'd have to have a Windows version of a DHCP server.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I have always run a NAT router on my network and share whatever Internet connection I have had with my flatemates. None of them have ever even know that they have no incoming ports open, they surf the net and read their email perfectly happy and in complete igonrance. I would think that 99.99% of retail ISP customers would be completely clueless to it if they had no open ports available to them. I am a web developer and heavy net user and very rarely have a need to foward ports over to my machine, the average user just doesn't need it. If ISP were to disable all incoming ports and provide a web interface for users to open up the ports they need, I think they would find that less than 1% of their customers would ever use it.
Why the hell doesn't MS just close off 135, 139, 445 and the other dangerous MS ports by default? At least it could close them by default for dial-up adapter interfaces since it's a good guess those aren't going to be on a LAN.
Furry cows moo and decompress.
Nerd: Derogatory term typically directed at anybody with a lower Slashdot ID than you.
As a broadband user, I get loads of attacks on port 135. Of course there isn't anything useful there. I have noticed that if I telnet into port 135 on the attacking machine, there is a port open but it doesn't seem to do anything useful. No prompts or anything. Doesn't even go satisfyingly tits-up after a few carriage returns, but I know I haven't tried hard enough.
Is it possible to crash whatever daemon it is that listens on port 135 by typing a certain sequence of characters? Could I deploy some sort of honey-baited-landmine that would blow up in someone's face if they even tried connecting to it?
The operating system should be the little man's firewall. ISP's shouldn't be patching holes in Micro$oft's OSes.
Never trust a man in a blue trench coat, Never drive a car when you're dead
it would just make a long more sense when you sign up to the ISP to just have an option, with the default set to the ports being blocked. If you know what the question means, then you can with a single mouse click you can open up all your ports. Only problem I can forsee is that the inexperienced user might try to use a program that relies on the blocked ports at some stage in the future. Maybe trigger a popup from their ISP when they try to use these ports saying "You have tried to access a port currently blocked by your ISP Firewall. If you were attempting to utilise an internet program before seeing this popup, please click here to have the port opened." Can't see a downside myself, might even provide a useful warning when some interesting beastie on your PC springs to life and tries to phone home.
Here in the UK an increasing number of broadband ISPs are doing this already. They started a couple of years ago blocking inbound SMTP.
I run my own mailserver and virtually had to promise the life of my unborn child to get it unblocked.
But here's the kicker. Looking for a new ISP I found several that block inbound SMTP to all their DHCP customers, if you want it unblocked you have to get a static IP account for which they charge an extra 5 per month (+tax).
The funny thing is we'll probably get some ISPs charging extra for their "Premium Protected" rate service while others will charge more for "Unrestricted Access" accounts.
I think ISPs should notify and warn their users if their internet connected computer seems to be infected.
They can link the ip-address with the e-mail address and have these users notified automatically with instructions included how to cure the infection. Most users don't even know that their computers is infected.
If all ISPs notify their customers immediatly in such cases, the alarming rate of spreading will be prevented.
In my opinion it is the ISP's obligation to implement such a scheme: it is simple, cheap and effective. It should therefore become mandatory.
I find in my firewall log (adsl/cable) network blocks with an infection percentage of up to 15%! Which proves my point.
-
hsx
Let's see 'em block http
They won't block it, but I bet they'll transparently proxy it and cache the results. Thus, you'll think the link is up but you're actually getting the data from a previous call.
I sure hope your program checks the content to make sure it's not being spoofed by some man in the middle.
Why don't make that question the next /. poll?
[ ] Yes mam, filter everything!
[ ] Go away, no!
[ ] Filter Windows-ports
[ ] Filter all non Windows-ports
[ ] Help! Cowboy Neal triggers all my Snort-alerts!
Alex.
You look like a million dollars. All green and wrinkled.
Yeah, it sounds like the delirium which we already have where everyone seems to think SOAP is the only safe server protocol left. I'm sure it is... if you want to spend 90% of your time packing and unpacking objects from XML trees.
Karma: It's all a bunch of tree-huggin' hippy crap!
My ISP thinks that it's responsible for the safety of it's customers, so as a default, almost all of the ports are blocked. And if you have a _very_ good reason, then you can have ports like 80, ssh and ftp opened. But you can't have all the ports open. That sucks. Officially you maybe could get all the ports opened, but it requires a very very very good reason, such as a work that depends on that. BTW, p2p is not a good reason. I personally have been able to do almost what ever I want, as long as I abuse the port numbers, so that I give programs just a next open one. I hope this will never be a common practise.
Once this barrier is taken, it won't take long until all incoming connections + UDP are banned, of course only to "protect the user".
This would make P2P impossible and reduce the internet to a mere client-server network. Anyone runing a "server" would be closely monitored by CIA, RIAA and other special interest groups, and would have to pay a premium.
Say goodbye to all P2P, to your own webserver, mailserver, to freenet, to accessing your own mailbox via secure IMAP, logging in remotely via ssh.
The opt out wold be step 1. Step 2 would be to remove the opt out because of "lack of customer demand" and to "protect users" because of mistakes they might make.
I am very sure this is what some industry groups are striving for: the internet must be reduced to a television network with bells and whistles. Just an extra channel for the industry to bombard you with propaganda, advertisements and other brainwashing, you are not supposed to talk back or publish independantly (you might threating a monopoly or spread terrorist information).
Don't give them a finger, they'll be eager to take your hand. Any restriction whatsoever must be vehemently fought at its roots!
Hi,
My cable ISP blocks all MS and proxy ports at CMTS level. So people inside the network also cannot communicate on that ports. They will open it if some one requests it. but guess what, their is minimal spamming from our network and we (users) were un affected during the previous MS blast. Our ISP also allows people to send mails using their own mail servers, that gets abused some times, other than than it's pretty nice.
raj
Sarovar.org Hosting for open source projects in Indi
if someone is so stupid, and did not applied all patches (M$ $hit)... his problem ... if my ISP is blocking any ports ...I will change ISP as soon as posible .. I don't pay to have HALF internet
grrrr
I've never before written a 'mod the parent up' post... But this one is (in my opinion) SO insightful.
We're already seeing this in corporate firewalls, it is in fact the primary driver not just behind SOAP but behind the whole 'Web Services' concept. The administrators of the corporate firewall seek to keep the corporation safe, and they do this by blocking types of traffic which are potentially unsafe. So business units which don't understand the security implications employ half trained code monkeys to hijack a 'safe' protocol (HTTP and/or HTTPS) and overload it to implement a less secure alternative to Sun's long reviled RPC.
This is a bad thing for (at least) two reasons:
We're already, as I say, seeing this in the corporate sphere. Blocking ports at the ISP will only push the bad boys into the Web services space, at which point for ordinary users the whole internet will become unusable.
This is not a sensible suggestion.
I'm old enough to remember when discussions on Slashdot were well informed.
In the context of todays access control I came up with the idea of "partial outsourcing", meaning that the access control decision can be partially influenced by external entities. Sure this might be only wise toward the "deny-side", but today everybody does it already with their virus killers and the externally maintained signature database.
Transfered to the topic above, I could imagine having at the ISP a sort of interface for the dialin PC to set its own rules. Default would be the be the protective setting, while everybody can enhance or limit the firewall like desired.
BTW comments to this idea greatly welcome...
If you don't have end user level security and leave it up to the isp, script kiddies have less work to do. They will hammer on the isp till it cracks then they'll have free access to all their unprotected customers.
Firewalling needs to be at the OS level and on by default.
I'm sorry, I can't hear you over the sound of how awesome I am.
ISPs seem to put everything else in their Terms of Service, why not this? During the sign up process the user could be presented with instructions for basic security measures. It might not work in all cases, but I think it will reduce the number of cases.
For ISPs who dish out CDs to sign up, the virus checker and personal firewall should be on the CD. Virus checkers seem to be included on CDs bundled with motherboards.
The general public needs education but they will not bother to learn if it is too much effort.
In fact, you could make a device that was a DSL/Cable modem and roututer/hub in one.
...richie - It is a good day to code.
Nooooooooooooooooooooooooooooooooooooooooooo!
Thats not true,
Thats Impossible
No!
I'd be REALLY PISSED if my ISP started blocking anything "for my protection."
I don't need my ISP, my police, or my government to take care of me. Leave me alone. I can take care of myself, thank you.
Quacks. That's the name for people, "doctors", that "treat" the effects, while ignoring the cause.
...
Why should I, as a user, have a system that has got all sorts of services open for the wheb, when all I want is to browse the 'Net a bit (and maybe read some E-Mail & news) ?
The problem is that the/my OS *does not allow me* to detach services from the 'Net, so I *can't get those ports closed*.
And that's where the problems starts (having no real control over our own systems)
So, it should be solved *right there*, not by some bloke (over whom we allso do not have any real control over !) up the stream.
Yes, I know that sounds bad, but I think they should have the right to selectively block ports when widespread attacks occur. I think Port 135 should be blocked when Blaster is in service etc. Just common sense.
Oh no... please don't ever EVER recommend that someone install ZoneAlarm unless they're at least as clued as you are.
I had a client ring up the other day - his computer could connect to the net properly, but no traffic could get in or out. The PPP link would stay up because LCP echoes came back fine.
While frustratedly pulling the last remaining hairs out, I asked the user to read out to me the contents of the "Add/Remove Software" control panel. Amidst the usual cruft was "ZoneAlarm". I asked the user to uninstall ZoneAlarm, and everything went back to working normally.
I asked that user to please never install ZoneAlarm again.
I hear that a couple of different UK ISPs have been going so far as matching bits of the offending packets so that 'innocent' packets on each port will still get through. This seems like the most ideal solution, but does require more CPU usage on whatever is doing the filtering.
Depending on how granular you want to get, you could (say) block all packets trying to use DCOM, which would shut out legitimate uses of DCOM, or pick out the buffer overflow itself and drop that.
Of course, this is reactive rather than proactive. Worms are only blocked after they've been in the wild long enough to get a fix on what to block, by which time they're probably already in your network and you're perfoming "damage control".
My 2 cent goes:
Let there be two kinds of ISPs
* Those with NAT to blackaddresses for the users
* Those with real addresses for the users
Problem solved?
So the ISP is going to start playing GOD and decide what traffic we can and can not have. Sorry the IRC traffic is using to much resources. CHEERS IRC!!! Next ISP's will start charging us to open or close a port. and that will be the end for free internet gaming. If OS creators are ready to accept the blame for their security flaws we would not have this issue.
I'm seeing a lot of people on here complaining that they want their ports open...but you need to remember that we are not indicative of the "average" user.
Like it or not, the Internet no longer consists entirely of technically inclined people. We are outnumbered by folks who just want to read email and surf the web...and don't even know what SSH is.
The problem is that their ignorance affects the entire Internet community. If a few thousand people get infected with the latest worm and start DDoSing a server, or bogging down the mail relays, everyone is affected - even the technically inclined people who were smart enough not to get infected.
Your average user just wants an appliance, a tool they can use without too much effort. They don't know about ports, and don't want to. Honestly, they shouldn't have to know everything that we do - it isn't their problem. Just as I don't know everything that my Doctor does...they don't need to know everything that their ISP does.
For this average user, I think port blocking would be a godsend. Honestly, there really aren't all that many applications that require incoming connections to your home machine....most of the time it is outgoing. Shut down the ports, protect the "average" user, and then let those who know what they're doing open their ports back up.
yrs,
Ephemeriis
"Work is the curse of the drinking classes." -Oscar Wilde
uhmm, apart from the slick web interface to ask the user what they want, has anyone thought about the poor sodding router that has to hold all these personalized rules?
even the big cisco PIX jobbies barf at the thousand rule mark. you'd have to go for a user-wide policy which would put off all the technically competent / meddlers.
it's just not going to work on this scale, I believe. the solution is to have operating systems and small domestic 'broadband routers' have default-deny policies, and lease the ISP (no matter what size they are) to shifting packets and answering DNS, like they're good at.
There are already several versions of tcp over http.
Slashdot has an article on it here
Aliant Telecom (Atlantic Canada's Bell Branch) provides firewalling service for only $5.99/month, or something like that.
This has become the American way and it is a shame. We are in an attitude and culture of bringing everone down to the lowest common denominator which is exactly the opposite of how we became a superpower and economic collosus to begin with. When you take this road you stifle innovation and creativity and your society stagnates on the scientific frontiers. I don't know how other parts of the world are but the U.S. needs to carefully consider what it stands for, individuality and freedom or a collectivist process where we only move as fast as the slowest person. Just my 2 cents but I think this is a major problem from our schools to our businesses to even our ISPs it would appear. This is a country made strong by pioneers and discoverers and inventors that did amazing things dragging the country along behind them. Now the country is holding them back say wait until we can all do it together so we don't hurt ourselves with your inventions. This is not good for anyone in the end and it leads to proposals like this where we allow the weak to infringe upon the rights of the strong. We're basically at the opposite end of the spectrum from anarchy where the strong dominate the weak. Both are bad.
The problem isn't the locks on the doors--it's the fact that the staff locks us in as soon as we get there, and won't let us out till checkout time.
The real problem is that there are 2 kinds of people: First there are the lusers who need an ISP to firewall for them, 'cause not only do they not know what it is and that they need it, they certainly wouldn't pay extra for it, even $1-2/month. Then there are the geeks like us, who want ports open so we can do stuff, and can usually configure our own firewalls.
The trouble, of course, will come with the lusers who want to play games that require open ports. However, if they can't figure out which ports they need opened, they don't deserve to have them opened, and if they can, and tell the ISP, which can then check that against the information for the game, the ISP should open those ports and only those ports for them.
But that will never happen, because of the many ISPs (this isn't meant as a dig at you, div_2n) who have lusers staffing them, or just care about the money, and not about protecting their customers or actually letting them access the Internet.
Dan Aris
Fun. Free. Online. RPG. BattleMaster.
You ask the average user TODAY, and s/he will give you the same answer TODAY as he would have given in 1998: "The Internet? That's that 'WWW' thingie."
I host my own email, and I use SA, PROCMAIL, RAZOR/PYZOR, etc. to help scrub what comes through the port(s). But I'm not a typical user. And I still consider that I'm vulnerable, because it's what you don't see that gets you, and my level of ignorance is STILL profound.
(NB: The funniest thing I ever saw regarding "ignorant users" is the lady a few years ago that kept yelling at everyone on Usenet to "stop sending me emails!" She thought her Newsreader was her mail client.)
Any technology distinguishable from magic is insufficiently advanced.
ok when you call up a isp they simply ask you if you whant them to provide a firewal for you or if you rather use your own. that way everyone is happy.
This is scary stuff!!! Companies would love nothing more than turn the internet into another form of TV. This is clearly a step in that direction. A little bit here, a little bit there, and suddenly it'll be the defacto standard behaviour for the internet- consumers thinking they can't author information for this network, just like TV.
On top of that, what's so special about port 80 that makes it so much more secure than other ports? Clueless system administrators think they're safe by blocking all but 80, while clueless application developers push the port concept up one level, shoving multiple buggy, insecure services through one port using RPC mechanisms like SOAP/XML. Now what security analysis tool will be available to understand the *different* requests coming over port 80? hah.
I think that people should have to take a test and pass it before they are allowed to access the internet. Like getting a driving license. People should understand simple guidelines before they access the internet, such as keeping virus software up to date, and not opening e-mail attachments if they don't know what they are. It really doesn't take a genius to do that stuff. I'm sick of having to pay for these idiots that can't do that. I have a wide area network, and because of this worm going around, my ISP blocked ports. My servers couldn't login to my remote domain controller because the port was blocked. I went nuts trying to figure out what was going on, and lost a lot of time because of it. Finally I found out it was the ISP that blocked all traffic through that port, and convinced them to open it up for me. It really is ridiculous and out of hand. All this could be easily prevented if people knew what they were doing. Learn how to use the internet, or leave it to those of us who do. Stop ruining it for everyone. That's what I say. I miss the good old days when everyone and their mother DIDN'T have internet access.
Click here or here.
The paper specificly argues for blocking only the ports used by Microsoft File Sharing, which even Microsoft says shouldn't be open to the Internet. Nothing else.
If you start blocking every port except 80, everything will get rewritten to use port 80. This will result in a significant increase in overhead, and *NO* increase in security.
Ports are conventions. We use certain ports for certain functions because we have agreed to . No other reason. We already see programs that don't belong on 80 using it because they need to get through firewalls. This would merely globalize the tendency, and eventually the entire usefullness of ports would be destroyed.
One can say that this is to protect the innocent, and feel good about things. But this will have as much decent result as most "protect the innocent" laws: None. And it, like most of those, will have significant negative downsides.
I think we've pushed this "anyone can grow up to be president" thing too far.
...blocks all ports below 1024. And no way to opt-out of that extra 'service'.
:)
Oh well, a little port redirection works wonders
Fine, if they want to offer the service, but if they are going to *mandate* blocking of most ports on me, ill take my business elsewhere.
If it gets to the point as the author suggested where internet is just (AD) browsing, Instant messenger and (Spam) mail... Then bye bye internet for me. ( though its heading that way regardless )
---- Booth was a patriot ----
they would charge for blocking the ports.
Think about it, how many people want all there ports open?How many people only need a few?
So a smart ISP say it will give ou an 'enhanced security protection' for a mere 4.95 a month.
Every non-techie who was hit by a worm would jump on it, and there are a lot more non techies then techies.
The Kruger Dunning explains most post on
Karma-whoring here...
My solution to the opt-in/opt-out arguement would be that the routers/CMTS/DSLAM that do the filtering would allow "smart" users to use SNMP to control the filtering on their ports, requiring the same username/password authentication used to connect to service. The default settings would handle 95% of users, and standard scripts would be around for gamers/p2p'ers/etc. Authentication is necessary so that virii don't drop the filters (I'm assuming that passwords wouldn't be stored where virii could sniff them out, but I may be wrong).
is how this can make money.
you charge people for this 'enhanced secrity'option.
Plus, I can't think of any routers that blocking ports would be anything except trivial.
The Kruger Dunning explains most post on
Government is not protecting the idiots, it's protecting us from the idiots.
Don't wear a seatbelt because you know *you* are a safe driver? What about when some idiot rear ends you, or pulls out unexpectedly, or runs a red light? You get thrown about, and perhaps lose control of the vehicle, when you wouldn't have wearing a seat belt. Helmets are the reverse - safer for the rider, but more likely to hurt anyone they hit. They don't really belong in this conversation. The roads are a shared resource, similar to the internet. We don't want the learners being stupid, and we need other rules to deal with the criminals and the reckless.
There is no magic clue stick to beat lusers with, and as a result there are always going to be unprotected machines. The ISPs should firewall, and opt-out it, as the clueless will not secure their boxes - we all know it, its a fact. Saying that "the luser should protect their box" does nothing to sort out the problem, we need a solution. As long as the ISPs can correctly opt-out people (no "our policy is you can't", or "you need to upgrade to a business connection"), the solution on offer is a good one.
It's "told you so" when a coffee cup label warns you and you go ahead and burn yourself. But our problem is that people keep acidentally burning other people. The ISPs should be real clear about firewall requirements, and securing your box, with EVERY user, and make sure that users without competence are secured by default.
It's "lose" a customer. "Loose" a customer, interpreted with some leniency at that, means that they will release you from some sort of bond or containment, implying that you have even greater network freedom AFTER they block your ports than before.
I think your ISP would be most understanding if you left over this...
-j
The less interference from ISPs the better.
ISP's close ports and instantly get deluged with millions of phone calls...
Won't work. If you do this, half your customer base is going bye bye to an ISP that doesn't "help" you.
This would be good for the masses (and is probably necessary, from a security standpoint) but no one would understand why their Netmeeting (or whatever) stopped working, and why you can't "just fix it" for them. You would see the ISPs that were blocking ports go out of business in no time flat.
l8,
AC
Ok, so i really should proof read for typos.. I know this... ( like i ever will start )
:)
And in some ways that is true, you are bound to their contract.. so being released would free them up to sell your allocation of bandwidth
But thats not what i had meant. i just cant type worth a damn some days..
---- Booth was a patriot ----
My ISP already does filter several ports for me... and it is very annoying. I have a cable modem (Charter) and they established a policy about "No running servers on a non-expensive-business line", and so they block common server ports like FTP and HTTP. Fine, not a big deal.
However, some corporate monkey heard the word "server" in relation to "mail server" and decided to block SMTP as well. This isn't outgoing SMTP (which might block some spammers), but incoming SMTP!
So, Charter has to waste disk space and resources storing my mail for half an hour, I have to jump through fetchmail hoops to pull it down every half hour, and MY sendmail has to go through ugly masquarading so I can still have working properly addressed mail inside my LAN, but have it get converted to THEIR email address outside since I have no way to point my domain's MX record at my mail server.
Long story, short point. Do you WANT this kind of corporate idiocy as the default for all ISP's? I think a far more reasonable policy is for ISP's to disconnect any customers who send out spam or virii, if they detect them. If the customer calls and asks why they were shut off, give them the answer... their machines are polluted and comprimising the security and operation of the network at large... they should clean them up or pay us $$$ to come do it for them.
As Steven Deering pointed out, if you close ports, then everybody puts their protocol on top of HTTP. But then this just makes a protocol stack on top of HTTP that you need to filter and you've just moved your problem to a higher level! Therefore, you should just go back to the original problem and use ports as they were intended.
Wouldn't it make sense for the ISP to masquerade all their dialup users? Sure, there are exploits available, but wouldn't that allow most dialup users an extra measure of security and the access they want without port blocking? As a dialup user, any legitimate connections back to my machine have to be initiated by me in the first place, so there is a chance for my machine to either inform the masquerade server at the ISP to allow the connections inward, or to have the remote box use the connection I established to it to communicate back to me.
Welcome to the net of 1000 lies. Upgrades are scheduled soon that should bring us to the 10,000 lies mark.
Since I'm most likely to be the only person to see your post, I thought I'd drop in with a few bits of advice to help fix your karma. (I'm going to turn my karma off as well.)
First off, calm down. You sound ready to try to take on everyone you meet in any argument all the time. Most people don't want to be argued with, they want to think they arguing with you.
Second, don't shout so much. There are other ways of conveying emphasis, even if you don't know HTML. Use the all caps sparingly.
Third, complete one idea before starting another. Sentences need both a start and an end, in almost all cases. Make each one convey one idea, and complete it. Try to keep them short enough that most people remember the beginning when they reach the end. Do the same with paragraphs.
These will help you get your idea across so that reader will be able to understand it easily. Reading a /. page bombards the reader with dozens of ideas, the ones that stand out are both easy to grasp and original. You are having major problems with the first of those conditions, which means that even when you have a good idea it will be overlooked. Work on clarity, don't make the reader work to understand you.
'Sensible' is a curse word.
FYI: Most ISPS lease their access through providers throughout the united states, including (but not limited to) the following:p rint
Broadwing
Flexpops
PSInet
UUNET
S
Level3
ELI
USPOPS
These are just a few of the many companies that allow you to lease their banks of dialup terminal servers. You can lease as many ports as you need in the area, and if service expands, you can just lease more ports. If service declines, lease less. You would have to work with the company to setup two types of ports, unfiltered and filtered, and then have two seperate dialup numbers for each area so that people could choose which they wanted. I'm not 100% sure, but I believe most of the providers in that list won't allow you to do that, because if you setup filtering for a specific netblock, it means anyone who dialed in with a different isp and got that netblock would be filtered as well. You could statically assign the netblock to that series of ports, but that's more expensive, since you are now leasing static IP space as well.
I don't want to purchase access to a few services on someone's ineternet connection. I want to be ON the internet.
So.... if there are two choices; one who filters everything but what they think I should use, and one who just gives me raw IP... guess where my business will go.
Ahh... I see. Well, here in Australia - most litigious country in the world - the fallback positions would be:
If you're paying for a service, they should provide it. If they don't provide the service, don't pay for it. In some cases, sue them for lost income and damages. If they insist that port blocking is good because you're dumb, sue for defamation, slander or libel (depending on the media used and the message contained).
Though I guess it's a bit much to sue for damages over an $80/month ADSL connection, there are agencies such as Consumer Affairs and the Australian Consumer and Competition Commission which Australians can use as big sticks when needed. Though I must admit I have no faith in the new head of the ACCC - he's a business man from a business background, so how fairly is he going to represent consumers against businesses?
Port filtering should be covered in some way by SLAs (for business lines) or at least by Terms and Conditions (for everyone). Guess I'll have to make that a feature of my ISP - make the T&C prominent, so that our customers are aware that we will take action to protect them from their operating systems' flaws, and if they ask us nicely we can let them have unfettered access to the virusnet... I mean.. Internet.
As an ISP, we're the ones who will cop the flak should one of our customers turn out to be a spammer or virus lab. Therefore not only is it in my best interests to protect the customers from the Internet (reduce support calls), but it's in my best interests to protect the Internet from my customers. My firewall works both ways - since the buck stops here, the s**t will stop here too.
I might wander off to my journal now, and start writing up a code of conduct for ISPs wrt firewalls :)
And this thread reminds me of the saying "Don't sweat the small stuff." You made a typo. Its perfectly understandable, and your intended meaning it 100% clear. So, don't lose any sleep over it.
I can't afford a sig!
For the majority it already is!
The problem is much deeper than open or closed by default. Can't have it both ways. Either the internet is an open system or it is not.
It is not a crime to hold an image in the minds eye, neither should it be to hold one on a computer. The crime is in the act that created the image. The image itself is merely evidence of a potential crime and can and should be used in evidence. Potential because the image might be an illusion.
If it is illegal to store an image of child abuse, as it is the UK, but the community is powerless to punish the actual abuser, then we have a real problem. The internet is power in the hands of those that understand it. With power comes RESPONSIBILITY. Nobody can or should carry responsibility for my actions except me.
This is indeed a dangerous road to be going down. For it both threatens and enriches the very lives of our children.
It must be that open and accepting responsibility by default is the only possible way forward.
You have not defeated anything. You have simply fragmented your tiny portion of the net. Unless YOU are M$N or AOL, the chances of you seving anyone I want to talk to are vanishingly small. All you have done is hurt your users a little.
You need an attitude adjustment to really solve the problem. Your users are not "fuckwitts", they are people who have been listening to people like you and me. Do you really think the average user hears enough to know just how insecure Windoze is and how bad it is for the net? No they don't, and you and I are in part to blame. Everytime your shrink from telling the truth about software, you make the problem worse. Education is the solution. While we can't expect everyone to build their own software, there's no reason the average person can't use free software to avoid all the hastles of M$ junk.
One key component of that education could be to restrict services based on OS. If someone uses M$, even behind a firewall, block their ports. This CAN be done at the cable or DSL modem and should be. This would reduce the trouble you have, and put the oduim right where it belongs.
Friends don't help friends install M$ junk.
They won't block it, but I bet they'll transparently proxy it and cache the results. Thus, you'll think the link is up but you're actually getting the data from a previous call.
I sure hope your program checks the content to make sure it's not being spoofed by some man in the middle.
Actually, caching would not be a good thing, but the scripts would still mostly work... All the pulling of http pages down does is verify (hopefully) that the machine can access the outside world via direct IP addresses, and via DNS. Proxy caching would be a bad thing, but the script would still tell the machine that it had as much a connection to the internet as it ever had.
As for spoofing, that would be totally useless. All the script does is check three different sites, none of which are the ones I am connecting to, first via IP, then via DNS. It does not even look at the content of the pages it pulls, just checks for success or failure and tosses the content straight to the bit bucket.
If the box thinks the internet is up, and that dns is working too, then it checks to see if it's Internet Interface matches a dynamic dns service. If all those check out, it uses standard IPSEC authentication methods (rsa public/private keys) to actually authenticate to the other box.
Oh, and this idea is now my exclusive IP, so if any readers use it, you owe me $699.00! I will be waiting for the check!
Styrofoam IS biodegradable, you're just impatient!
How long before SOAP-tunneled VPN's will be activated by default on Windows if these ports are closed?
The only reason these prots are a problem is because the user-friendly vs secure tradeoff always comes down to
"let's make it really user firendly and blame the users and evil hackers if that makes it insecure". </rant>
.. is that every friggin' ISP should block this and that port just to bypass Microsoft's broken shit of the day. And then there's this nonsense about opt-in or opt-out, By default your OS is not supposed to listen on every possible port and direct all incomming traffic directly to /dev/kmem and cause crashes. When you start a daemon you're actually opting in listening to that particular port. When you don't run a server on a specific port, it's opted out. Simple, really.
Heya, I know a number of ISPs in Australia who already offer an ISP based (optional) firewall. With IINet at least you simply login to their control panel and enable the Firewall. Within a few minutes it will be in place. I understand it has worked wonders. Stuart
I understand the short term need to block a speciic port like 135. But having a flaw in Micosoft OSes (or any other for that mater) shouldn't become an excuse to block ports as it can mess up other legitimate more secure OSes that may use a low port like 135.
Anyone notice the ping rates are NOT decreasing? It seems that the ISPs are not notifing their customers. And I can't help but think they could.