Slashdot Mirror
Should ISPs Be The Little Man's Firewall?
Anonymous Coward writes "In a paper published today, the point is made that ISPs should filter some ports (e.g. 135) for good. I guess given what everyone sees hitting their various firewalls these days, this may make sense. But wasn't the Internet supposed to be 'open' at one point? Or are we to the point where Internet=Web (and maybe AIM). The author of the paper is operating DShield and I guess has some insight into this issue. He made the same points before on various mailing lists."
relies on me to find the latest virii/worms that are going to pound the bandwidth, get their port numbers, and setup ACL's accordingly. Not only do the customers like it, it gives us more time to patch our hundreds of machines, and decreases our incoming bandwidth.
Overall, I help stop another hundred thousand or so Win32 users from pounding the net to death. I don't see how anyone could see this as a bad thing. (welcome input)
Get paid to code OSS
I disagree. It should be OPT-OUT. The idea is to protect the clueless, and the rest of the net FROM the clueless.
If you know anything about opening a port, then you are ahead of 99% of those connected, and know what you are doing. Thus, you can opt out.
This wouldn't prevent you from using blocked ports.
It would be, by far, less of an inconvenience that the shit that goes on now with everything wide open.
Learning HOW to think is more important than learning WHAT to think.
Err can we get clarify this
If everyone is subscribed by default, it's out-out.
Opt-in means you don't have it until you ask.
The word you mean is opt, not opt-in, not opt-out. You opt to get the service in opt-int. And you opt out of the service, in opt-out.
Spam right now is "opt-out" you get it until you sue the spammer. Software development mailing lists are opt-in, you have to confirm you want it, before they give it to you.
And another thing, knowing the profit margins of local isps, don't expect firewalling to be free, that's kinda good, if they make it an "option" say 1-2$/month/ip protected. That would make some larger providers happy too, they want you to pay more the more machines you have. (Nat of course, covers that, but that is a firewall function, isn't it?
The source of the problem this is addressing is a operating system that has every port opened by default. That operating systems owner can pay for this. They should have to fully fund it at the user level not the ISP level. Otherwise STFU. I have a cheap ass packet filter router on my cable modem. Guess what I don't have any problems. This is an appliance a moron can configure. The manual has pictures even.
I run Linux. My systems are doubly secured with having all default open ports that are not needed shut off. I pay my ISP for full internet access. SAN needs to get its head out of it's ass. I don't need top be made to suffer because Microsoft is to stupid and greedy to build security into any of it's products.
As you can see I don't care about my karma.
Case in point: I was not affected at all by Sobig.F directly, however I did see my mail gateways come under incredible load, my IDS's fill DB's with Sobig warnings, my users encounter endless confusion at bouncebacks from dumb virus scanners that claim we are infected since Sobig is a SMTP forger. Sobig wasted a lot of my resources and time even though it didn't infect a single one of my 1700+ users. It was rather benign though, I'm afraid of what comes next.
Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout
Some people like my dad just want to use the internet, and they don't care how it works, they pay money for an ISP and they expect them to make it work.
James
That's right.
In my university all high speed internet users (residence, townhomes or laptop users) get to choose between the "Browser" and "Unprotected" zone.
I think other ISP's can do that.
I'd personaly go with unprotected but for IMO most dummiest of course the Browser mode is better .
My ISP does give me such an interface. About 5 ports are blocked, and have always been. Just recently they provided an interface where I can selectively re-enable those ports again.
It's iinet in Australia.
is that it costs real money to block ports. ISPs have big routers and the cpu cycles of those routers are expensive. Blocking ports takes additonal cpu cycles, so ISPs need to have a strong business reason to start blocking.
The real "Libtards" are the Libertarians!
My ISP has spam filters. If you log into their webmail client, you can turn on or off the various rulesets, or tune them at will.
Now if they didn't have this adjustment ability, I'd be moving elsewhere in a big hurry--but they give me the filters, default them to all on, and let me turn off what I want. I don't see why they can't do that with internet ports. Default to everything turned off, and then have a website that I could authenticate against, which would allow me to open ports. ACLs in FW1 should be able to accomplish this.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
I really don't care about making the Internet safe for everyone. Next thing you know we'll be suing gun companies over homicides, I mean ISPs over cyber attacks.
Isn't the real issue here the fact that Windows has so many security flaws? Maybe Windows just isn't ready for the Internet. I run Solaris, Linux, and MacOS X, with the protection of a Solaris/IPFilter firewall at home and do you think I care about worms and viruses? Nope.
The only thing I could possibly suggest that the ISPs do is communicate a standard warning: "The surgeon general has determined that Windows can be hazordous to your computer while connected to the Internet." and leave it at that.
-- Thou hast strayed far from the path of the Avatar.
My ISP (Australia Wide, NOT owned by a Telco), has recently implemented port blocking into all their accounts.
Along with this 'feature' they also enable us to enable or disable port blocking, at our convenience, in about 4 clicks and a login. If you ask me, any ISP worth buying service from, who is considering making port blocking mainstream, because it IS important, and it is something that is going to stop the vast majority of users from getting viruses/hacks that commonly exploit invulnerabilities in the more widely used OS's, will implement a similar service.
I am charged nothing, for leaving my ports open, and I run firewall software on my PCs with custom rules relating to ports because of web/ftp/ssh servers etc. It was quick and easy to toggle between blocked and unblocked, and anyone on this service can do it.
I honestly don't see why this is such a hard thing to adopt, and I would like to thank my ISP for being as reliable and friendly as they are, I know I am lucky in this situation.
I think ISPs SHOULD be the Little Man's firewall. The inexperienced user needs protection and 90% of the time will not have a clue how much work the ISP has done for them, but perhaps might comment to their friends that "No, I didn't get the Blaster Virus" when everyone else did.
and it purely sucked. i couldnt use normal service ports (21, 22, 80, 126...). i had to use shitty ports for everything and it really sucked. this was the korean ISP thrunet by the way. i hated them the most out of all the ISPs i ever used. their service was always cutting me off too. DO NOT THINK PORT BLOCKING IS A GOOD THING. it chops your feet off if you actually know what you are doing.
Unlike say, Linux, right? Oh wait, my Debian machine had such gems as the much-exploited SunRPC (port 111) running after even a minimal base installation.
I like my women like my coffee... pale and bitter.
Not anything.
135,136,137,445,31337 in any direction,25 and 119 incoming, and other l33t ports. It has been a common practice in many countries to block them off for 7+ years. Off the top of my head I can think of at least 3 big Bulgarian ISPs, 1 Russian, 3 Dutch, 1 UK, 2 German so on so forth that have been doing this for years. These are the ones I know and there are much more out there.
Also note that the port lists deals only with ports related to l33t script kdd10tz behaviour and SPAM. Ssh, ftp, http which are commonly prohibited by US ISPs are not there
Also, I have not heard about any of their customers complaining despite the fact that it is not even opt-out. It is so old that it was implemented in the days when you could not chose an ACL via radius so it is a fixed access list on all interfaces. And I think it should be.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
you know that pop3 can preview messages (using top msgnum no_lines) and delete with the command "dele msgnum".
So you don't have to download all the files to delete them, pop3 has features in place. You just need a decent mailreader or telnet to use the functionality (some MUAs does implement a kind of preview before download).
Here in the UK an increasing number of broadband ISPs are doing this already. They started a couple of years ago blocking inbound SMTP.
I run my own mailserver and virtually had to promise the life of my unborn child to get it unblocked.
But here's the kicker. Looking for a new ISP I found several that block inbound SMTP to all their DHCP customers, if you want it unblocked you have to get a static IP account for which they charge an extra 5 per month (+tax).
The funny thing is we'll probably get some ISPs charging extra for their "Premium Protected" rate service while others will charge more for "Unrestricted Access" accounts.
Oh, and by the way: Even before I opted out of their firewall, I could play pretty much all online games (but not host). So I suppose very few people will even notice they have the firewall.
ISP's close ports and instantly get deluged with millions of phone calls...
Won't work. If you do this, half your customer base is going bye bye to an ISP that doesn't "help" you.
This would be good for the masses (and is probably necessary, from a security standpoint) but no one would understand why their Netmeeting (or whatever) stopped working, and why you can't "just fix it" for them. You would see the ISPs that were blocking ports go out of business in no time flat.
l8,
AC