Slashdot Mirror
Should ISPs Be The Little Man's Firewall?
Anonymous Coward writes "In a paper published today, the point is made that ISPs should filter some ports (e.g. 135) for good. I guess given what everyone sees hitting their various firewalls these days, this may make sense. But wasn't the Internet supposed to be 'open' at one point? Or are we to the point where Internet=Web (and maybe AIM). The author of the paper is operating DShield and I guess has some insight into this issue. He made the same points before on various mailing lists."
And not something you get by default and then have to opt-out of - something you get offered and must opt-into. I don't care if port X of all the clueless people's machines get abused, if I want to use port X, I'm going to.
...Also, I didn't know Buggalo could fly.
No
Putting the romance back into necromancer.
I don't want them filtering anything for me thank you. I can take care of myself. Next thing they'll be stripping attachments off of email and blocking content. Let internet Darwinism take it's course, only the strong will survive,a nd when all these people get tired of the insecure crap that windows is, maybe, just maybe they'll vote with their dollars to not support MS anymore.
If my ISP gave me a slick web interface that allowed me to open or block ports specific to when I connect, I'd be all for it. Set the defaults to block things, to protect against worms and the like, but if I want those ports open to do something, it should be easy for me to open them. I think that's the perfect middle ground. People who don't know (or care) will be protected. Those who care can easily do whatever they want. The ISP just has to make it clear where the options are.
Blocking all other ports will just mean worms and virii will have a permanent effect. Each wave of them will kill off a port. When we run out of ports (because something will be written for each one) then the internet must shut down. Some redundant system.
Karma: Excellent^(-t/Tau), Tau=Wittiness/Trollishness
The problem isn't ports - it's the applications that use the ports.
-- $G
For those that want to read about the issue deeply, I highly recommend Lawrence Lessig's book: The Future of Ideas: The fate of the commons in a connected world.
It will give lusers a false sense of security. I happen to travel with my notebook and one of the worst places where I get hit by viruses is not my home ISP or work, but hotel broadband connections in Asia.
If my ISP was protecting me, I would be complacent and I can see myself not updating the scanners / firewall on my notebook and getting hit the next time I went on the road.
The next issue is liability. If an ISP claims to protect and a luser gets infected, they're going to sue (atleast in a north American situation).
Blocking egress port 25 ought to be standard for all residential ISPs. There is no reason for a consumer level access user to need to run their own mailserver, and in fact almost none do (on purpose). Of course, many Windows users recently were unwittingly running an SMTP engine in the form of Sobig.(?).
ISPs need to ensure that their residential customers have egress SMTP traffic restricted to their mail servers. Users needing corporate e-mail access most likely can via SMTPS or a VPN if their IT department knows what they are doing. Users need to be respectful of the fact that they are paying for a consumer level service. If you want business level service, realize this is a higher end cost for the ISP (yes, it is-- more bandwidth, possible peering issues due to ingress vs egress traffic, legal liabilities, etc.)
ISPs supplying service to businesses need to enforce the clauses in most service agreements that require the business to 'not engage in activity that will be detrimental to the network or the Internet as a whole' (or similar- IANAL). Spamming, viruses, worms, etc. need to be controlled by the business's IT department, and the ISP should trust their business clients and allow unfettered access. If a business does not know how to secure themselves, they should be contracting someone else to help them (this could include the ISP, of course). Otherwise, they deserve to be treated as a danger to the ISP, since complaints, blacklists, and reduced bandwidth could be the result of unrestricted access.
While I agree with the point I think that power users should be allowed to call up the ISP (maybe even at initial sign-up) and be allowed to request that the ports remain unblocked. Otherwise, the internet *will* become just the web and AIM for everyone if they like it or not.
/really/ get some extra cash. And those people with residential ISPs (e.g. DSL) will be SOL because arguing with the phone company about what ports are blocked will be totally ineffective -- and since they typically have a monopoly on the lines, there's not much you can do. Remember when shell access was standard? Same deal.
Well, what's going to happen is: The ISPs will eventually block most ports, "'cause most users don't need 'em." and that'll help some people. "Power users" will be able to pay an extra fee to get the ports unblocked - a "setup" or "administration" fee. Probably even a per-month fee, so they can
This will suck for a while. Especially when they block port 22 at first, because they forgot about SSH. Then eventually most things will be re-written to tunnel through port 80, making everything more complicated (multiple servers switching on the same port). And of course, the worms will follow.
The point is, there is a reason these ports exist in the first place -- they allow some flexibility and simplify communications. What they're really saying is "We don't like the way the internet is designed. So we're going to break it. Sucks to be you."
Z.
If you RTFA you would know that Microsoft says that these ports should be blocked from public networks.
Further more to all the other fools who can't RTFA the guy is talking about only MS networking ports all of which should not be open across the Internet.
Seems pretty clear that the average home use needs to be firewalled. People who even care will probably be the same people who want static IP's, guaranteed uptime, and other goodies: business users and geeks. So even if they do lock down the basic service, you can always get a business account.
The best would be for there to be a mid-range account which doesn't have to pay the full business price (and doesn't have the same service guarantees) but does get have no-hassles access. I'd be willing to pay $5 more per month or so for that.
Here's a neat idea: you get your account, and they ship you a cable modem and personal firewall device. You're free not to use it (well, maybe the TOS say you have to, but nobody listens to them anyway) but they tell you that if you don't you'll leave yourself open to hackers and viruses. 90% of people will plug it in and forget about it, while the geeks will disassemble it to see how it works and then set up their own.
Actually, there is probably a better way yet: An ISP can block it's ports if it wants to, but it must tell it's users, and there needs to be at least two different ISPs in any market.
Some ISPs could advertise that they block $a, $b, and $c, as a security measure. If the customer doesn't want to think about security, they go with those ISPs. Others could advertise they allow access to the entire net. I would sign up for that, and do my own security.
Of course, for this to work there actually needs to be competition in the ISP realm. Not a given at the moment.
'Sensible' is a curse word.
Then you (as well as your employers) are very short sighted. I could well be using those ports. Many software programs that dynamically allocate ports likely will use some ports you block, and users applications will just fail "randomly". And, of course, your tech support people will deny all knowledge of it. Or, in the case of well known ports such as port 135 mentioned in the original posting, I've actually used port 135 to share entire windows directory structures across the Internet (between a system in Indiana and one in North Carolina). It was slick and very handy, although too few understand how cleanly (and safely) this can be set up and made to work. How can slashdot readers really advocate ISPs blocking the utility of the service we buy because some people who also buy it are too lazy to learn to use it properly?
I'm an American. I love this country and the freedoms that we used to have.
If we effectively kill off every port on the internet.. what is the point of having the TCP layer protocol? And if we killed it, wouldn't a lot of devices simply stop working? So I ask.. WHY!?
Personally, I love the idea of having ports. It allows a lot of intrasystem communication, even if it isn't the best way of doing it, and it allows many many services to run on one machine. hell, without TCP, we wouldnt have IMAP or POP3 or SMTP etc.. (unless someone did them from a web front, sorta like yahoo, but then it's the same thing on their end....) Somewhere down the line, people have gotta realize, fixing the problem doesn't mean you have to break something else in the first place. ISP's need to let the users deal with viruses, even if they are 100% computer illiterate. Maybe they should offer a service where they will patch your system for a price, instead of simply blocking a port that someone may have been using constructively. This really outrages me, because Adelphia, my Cable provider, has killed so many ports due to virus outbreakes (Codered killed 80, MSBlaster killed 135, 139, 4444, and a bunch of UDP ports), ports that I would have liked to use (port 80 mainly). I have to redirect to 8080, and not many people will know how to do that. Please people, think before doing something so drastic as cutting off all the ports... There are much better solutions.
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
Then how is an application supposed to discover on what port a machine is offering a service? What if you didn't know on which port Slashdot was running its HTTP server?
Will I retire or break 10K?
I spend from 10pm last night til 4am on a conference with the worst bandwidth provider in arlington texas because one of my clients was getting his one of his T1 lines bombarded by a ddos attack. The concept of dropping non-source routed packets was foreign to them. I guess the point I'm getting to is, there are some things the guy on the other end of the T1 line can not do for himself. Even if he had the best bridging packet filter in the world between his T1 and his machines, the pipe would still be screwed at the router above him. So yeah, you bet your ass the provider needs to step in when things are happening at their level. And if they are selling T1 lines to people, they should have the kind of talent in place and IDS systems in place to detect attacks and crap of this nature and do something about it.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
- ISPs start blocking ports
- All software uses port 80
- ISPs start using more complex and intrusive filtering that blocks everything that doesn't look like MSIE
- The internet is officially shit
I can't fucking wait.Game... blouses.
Well, I guess the underlying assumption here is that the software using the ports 135, 137, 139, and 445 is broken beyond repair either from the security perspective or then the software is very hard to configure properly (because it seems people accidentally misconfigure it to be open to the entire Internet). Either way, the suggested measure would be an unnecessary limit of free communication for no other reason than a common implementation of certain protocols.
If it is possible for clueless users to accidentally run software that puts their computers at great risk, then I say there is a serious usability problem here. If the software implementation and/or protocols itself are insecure, providing a better implementation/protocol is a step towards better future. Trying to shift the responsibility to ISPs isn't the way to go.
Filter by default - if you need your ports or you want to do your own firewalling then get the "advanced user" account that costs less but requires more responsibility from the user.
No, you've got it entirely backwards.
It's the "family" account that will cost less. The "family" account will include traffic filtering and it will come with a service charge for every webpage viewed and every email sent. Traffic filtering will ensure that that your Internet activity will remain limited to the viewing of webpages and the sending of emails.
It's the "professional" account, without any filtering or traffic restrictions, that will start costing more and more money.
In other words, we (the techies) will have to pay more, the non-techies will get less service, and the ISP will get all the money.
It should be up to users to protect themselves, or it should be an OPT-IN value-added service provided by the ISP, even if it costs extra.
I pay for bandwidth, plain and simple. I want every port open for whatever use I so desire, with no blockage from the ISP period.
Some morons at certain ISPs recently decided to block all pings, period, on their broadband networks. I run a small computer consulting business, one of my specialties is ipsec-connected subnet-to-subnet VPNs for small businesses with dynamic IP broadband connections. The scripts that make all this work depend(ed) on being able to ping various places to determine if the internet was up, if the peer host was up, and if the tunnel was up.
Since someone didn't RTFM on stateful packet filtering, and figure out how to safely allow ping traffic while blocking DDOS attacks, all my scripts broke (well, among those home users using those certain ISPs that connected into the office). Who in the seven hells ever thought an ISP would block ping!!! I can see a popular website doing it, but an ISP?!? Across their entire network?!?!? Baka!
Anyway, I had to quickly rewrite the scripts to pull entire webpages down to test connectivity, and dump them into the bit bucket, instead of nice, tiny little ping packets. (Let's see 'em block http) Wastes bandwidth, and less elegant too! wheee!
Cookie-cutter broadband ISPs without the technical knowledge to properly configure their routers are NOT people who I want determining what ports/protocols I can and can't use. I pay for bandwidth. Leave my ports alone!
Styrofoam IS biodegradable, you're just impatient!
One reason I can see for ISP's not offering port filtering by default for virus/worm protection is the liabiility issue. Can you not see the situation of someone relying on this functionality, being hit by something that comes down the pipe, then wanting to hold the ISP responsible because of their negligence in not making the filtering "good enough?"
However, it is the ISP's job to maintain service quality for the other thousand people served by the same point of presence that you use. It is its job to protect its service from DoS attacks, to ensure that those who don't have a worm are able to use the service.
Therefore, when a worm outbreak borders upon DDoS, it is very likely in the ISPs' best interest to interfere with it. They should do so minimally, because their purpose in so doing is to minimize its effect on their business and responsible network operators -- not to Quixotically defend irresponsible network operators.
At different stages of an outbreak, and depending on the specific behavior of the worm, an ISP's best response may differ. For instance, if a tiny number of customer hosts are infected and are blasting huge amounts of traffic, the best response may simply be to remove them from the network, or block the relevant ports on the proximal router.
If they call and complain, the first-line technical support can read off a prepared statement, which (when boiled down) says basically this: "Your computer was being used for a Federal crime, breaking in to other people's computers. We shut down the network to protect our other customers from this criminal activity. It's possible your computer was infected by a virus that was being used to perpetrate this crime. Because of this possibility, we didn't call the FBI and report you as the source of the criminal activity. It's your responsibility to keep your computer from being used to hurt other people." They can then go on to offer, for a small fee, a CD of licensed antivirus and worm removal software -- or, for a larger fee, a visit from a technician who will run the same. Connectivity is not restored until the system is clean, whether by this means or any other.
In the case of a widespread outbreak, where more than 5-10% of the client systems are infected, it's probably more expedient to just block the ports on the core routers first. Then find a way of enumerating the infected systems and dealing with them, if it's deemed worthwhile.
Of course, any such measure should be announced. Exactly how to announce it I'm not sure, since many ISP users don't use an ISP mail account (and the ISP must not send spam), nor do they read the ISP's local newsgroup or visit the Web page.
In the case of a local ISP, the newspaper is always an option.
The problem, of course, is that most who really want a consumer-style connection won't go for it because they can't see any benefit to the added cost; becoming a worm or virus transmission vector annoys others but does not usually degrade the infected user's consumption experience and therefore managed firewall services don't make sense. The solution to this is an addendum to terms of service that stipulate that systems which are reasonably believed to be infected with a worm or virus and are adversely affecting networks as a result will be dropped from the network and no refunds will be given. Service will be restored only after a professional (partnership or more managed service opportunities here...) has inspected the system and found it clean of any such threats. Since this will be both annoying - unexpected service termination - and expensive - hourly fees for system checks won't be low - users will find this type of low-cost insurance valuable and useful. Probably enough so to pay an extra 3 or 4 bucks a month, surely enough for the ISP to make a nice profit as well.
And where exactly is the rule written that consumers cannot or should not use port 25?
I guess you don't think we should serve http ports?
And no telnet/ssh either. Remote administration is the kind of thing a consumer doesn't need.
When I pay for my "consumer-level" DSL, I have some expectations that I'm willing to compromise on.
I know the tech-support people will not consider me a priority. I know if they have network problems, they will not work the extra mile to minimize my downtime. I know I cannot talk about "downtime" with them with a straight face, because they don't have those kinds of obligations.
I do expect, however, to be able to send and receive little packets of data every once in a while, at a certain speed, over whatever ports I want. I expect my paltry email packets to be dealt with equally with my fancy packets of video and audio (which certainly cost more bandwidth to my ISP, spam or no spam).
I do expect that my use is not restricted by "whatever is likely" other people need or do.
I agree with you that most users should have port 25 blocked. Actually, I think most BUSINESS users should have port 25 blocked too... a lot of small offices do not need, and do not have, their own email server but were happily sending emails through their business DSL lines due to SoBig.
Let BOTH kinds of users specifically remove that block. Force them to restrict it to a specific email server (or a list) if you want.
If they need it, whether it's a geek or a full IT department, it wouldn't be a problem because they know what they're doing.
But don't assume that a consumer never knows what he's doing, or that a business necessarily has a clue.
Freedom is the freedom to say 2+2=4, everything else follows...
So true! Mod parent up. The only thing he forgot was the bullshit "Universal Service Fee" that some ISPs are actually charging, although it's doubtful they're required to contribute to the USF fund.
Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.
opt-out is really the key... i use cox.net cable modem service. my port 80 (listen) has been blocked for a year or so now thanks to code red, code red 2, and other IIS worms. i run apache on a mac, which is not vulnerable to these worms. so why should i be punished? (i can't opt-out because technically i shouldnt have *any* listening ports without upgrading to a home-business connection plan... but i'm good! :-P)
Why not make Operating Systems block all ports as default? This isnt a network issue its an application issue.
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
Overall, I help stop another hundred thousand or so Win32 users from pounding the net to death. I don't see how anyone could see this as a bad thing. (welcome input)
I would like my ISP to provide firewall services, but not in such an automated manner. Or, rather there should be a web interface like my ISP has for reverse-dns. There should be a checkbox for unfiltered, for autofiltering by ISP with or without notification of filter rule changes, and some way to block/unblock common things yourself by name with autofiltering on or off. This way if I have a locked down machine I can select unfiltered and not worry about strange IP failures, I can select autofilter for my windows machines with holes poked for what I use, and I can select autofilter with additional things like Kazaa blocked for my Wifi...
And, of course, this should be on a per IP basis.
By default the ISP could check 'autofilter without notification' for Mom & Pop, and tell anyone that asks about the "customer satisfaction" interface on your web page. I can certainly setup filtering myself, but I would prefer it was done for me so I don't have to have a machine on all the time and so that I don't personally have to block the latest Windows worm. Right now I have some filter rules in the DSL router, but the interface is a PITA, and it doesn't have the ability to block Kazaa but not something useful like passive FTP, like a more sophisticated stateful filter at the ISP could.
And yet the most common complaint I hear from people is how they paid for lots of bandwidth but they're always the victim of lag and dropped packets. Blocking ports 135-139 would eliminate a substantial amount of the background "noise" that's taking a bite out of your bandwidth.
If someone *needs* to share 135-139 over a public network then they should be using a VPN anyway.
Is that the "advanced user account" would probably end up costing MORE, not less. I think that you'd mostly find 3 situations:
1) ISP blocks ports/services/etc and won't unblock them. Claim it is for securtiy, etc and just won't do it any other way. We had this problem with Cox. They disallowed any VPNs on their normal cable accounts. Our university uses VPNs extensively. It came down to us explaning to them that we would recommend people go with a different provider if they didn't change the rules. Of course as a large university we have leverage individuals do not.
2) ISPs would allow you to unblock ports, would would charge a fee for it. This is much like how you have to pay to NOT have long distance service. You would end up probably paying a monthly charge just to get to use everything.
3) ISPs would use this to attempt to force bussiness class service. You could get an unrestricted connection, but only if you were willing to drop the bigger fees for a bussiness class connection.
I would have no problem with an ISP firewall, if they'd be nice about it. If I could log on to their website and enable/disable its features at will I'd think it was great. It could be on by default for all I care, so long as they told me. However it does need to be something I can disable easily, and I should have to pay extra or anyhting like that for.
Something like this would be wonderful for the average person. For the 10% of the population (read us) that this would hinder the benefits would greatly overweight anything else.
This does bring up a totally different idea I had while thinking of how things like this and similar average user features(for instance forcing people to use dialers, browsers, etc..) slow down the power users. It would be nice if major ISP's would start offering levels of service for users. This technically wouldn't require more charges for either group (although surely the ISP's would jack up the prices for specialization). The costs of blocking and filtering would balance with the cost of having to set up special settings for a different group. Both would cost more, but together they wouldn't have to have different prices.
Of course this will never happen, but it's one of those ideas that somebody should think about. And all of this would probably be most useful for broadband connections.
BTW, are their major ISP's that do this type of thing?
... of broadband firewall routers being sold that will not work with the default password. That such routers will not have ANY incoming ports open by default, and ALL unnecessary outgoing ports (not needed for http, https, ftp, telnet, pop/imap, sendmail, ssh, IM, irc, kazaa, etc),are all CLOSED by default. The user will always have the option to open any normally closed port. BUT, since most users leave their routers as-is, and don't care, as long as they can surf the web, send and get mail, etc, such routers will shut out the hackers and limit their exploits on an unimaginable scale. And, a lot of trojans could be cut off just by limiting the lesser-known port numbers outgoing. ISP's won't have to load down their routers with endless lists of changing exceptions to no-route rules... Boy, I dream big.
Dogs look up to men; cats look down on men; But Pigs! Pigs can look men square in the eye. -Churchill
You should be happy about being made to use SFTP instead of regular send-passwords-in-plain-text FTP.
I like my women like my coffee... pale and bitter.
Simple, it costs more, and it doesn't really matter by how much. You'd be surprised at how single minded companies are when it comes to per unit costs. Fixed costs they could almost care less about but try to increase a budget by $1 more *per unit* and people go absolutely fricken nuts. You're right though, if a competing cable modem maker offered a unit for the *same price* they might be able to steal the business away from the existing supplier or, at the very least, convince the existing supplier to add the firewall functionality gratis.
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
No
I don't trust anyone but myself to filter what I want. Suppose a certain corporation that shall not be named were to lean on ISPs to block common p2p ports?
Suppose I were working at home as a security consultant and needed acess to all ports, including those used by virii?
The internet was originally designed with all the intellegence at the ends, and not at the center. This was done to prevent anything like this kind of behavior, where the people with the routers can control what you can access. If it were not for this forethought on behalf of the Internet founders, your ISP would control what you can access.
And that's what this could easily evolve into. You know the routine. You start with a little. Then they push it a little farther. And a little farther. And a little farther. Then the "internet" is nothing but a glorified TV station, feeding you the same junk in an interactive manner.
Obligatory BTTF quote: "Admittedly, that is a worst case scenario..."
If the approach is "opt-in", any new Internet service in the future is going to be DOA because Joe Clueless is going to download the new apps, find out "they don't work", and isn't going to contact his ISP where the problem is.
The other problem is that any ISP big enough to have a clueless "first line" help desk isn't going to be able to handle "please turn this port on" inquiries from Joe Clueless and will be even less able to handle them from anyone with a clue.
Do we have all the Internet services we're ever going to want?
Sacrificing future technological possibilities just to keep the current Net running properly isn't exactly the sort of thing we want if we want to do interesting and maybe profitable high-tech things.
Port 135 and the most commonly abused other ports there's a case for blocking by default.
Tech Public Policy stuff
Multiple ports are not the problem - if nothing is using those ports, there would be no traffic on them.
Blocking ports will only cripple legitimate users of those services while the malicious attackers will find other vectors for attack.
You can keep blocking ports until everything is tunnelled over port 80 and content only flows 'one way', but we already have that - its called TV/Radio broadcasting.
If anything, ISPs should filter the users logging onto their systems - e.g. if the system logging on fails security tests, or exhibits virus-carrying behaviour, then outbound access is curtailed or disabled entirely.
Crippling the internet because Microsoft can't get their shit together is the dumbest thing i've heard this week.
I gots ta ding a ding dang my dang a long ling long
I'm currently at a Holiday INN. Well they're high speed net access. Faster than a T1 is nice but they block port 25. It's a inconvience since I cant send email through my yahoo smtp account nor my email account on another server. Though I'll have to call our hosting service to map port 2525 to 25 to get around this issue it's still an annoyance.
If the ISP blocks 25 then the spammer will have a buddy setup a box outside the network to accept on some random high port like 37337 and just go to town just like usual. All it serves to do is get in the way of legitimate users in a punish the many for the crimes of a few method.
If one is on a dialup, it's really handy to be able to go upstream of one's mail client in order to block the multimeg file attachment some spammer or clueless friend thinks I need.
A shell account saved my ass when Sobig.F hit.
Some moron from dsl.net with an infected box hit mine with viral spams by the thousands on top of the rest of the Sobig viral spam I got. Being able to configure my .procmairc file at my provider made it possible for me to shitcan everything with a .scr or .pif before I downloaded it via mail client. Without the shell, my account would have been useless to me for weeks and having my ISP clean it out would probably have cost them hours, i.e. hundreds of bucks worth of sysadmin time. With it, I pretty much took care of myself.
One should not have to run one's own mail server in order to do this. A shell is a good thing even for an ISP in the hands of those who can use it properly.
This doesn't mean that users necessarily need to get one by default, though. Personally, I don't ever intend to get an internet account that doesn' t have one.
Tech Public Policy stuff
You know how this would work. Those port numbers often used on Windows would be allowed. Anything not on that whitelist would be cut off. So suddenly everyone using Linux under the ISP who wants their services to work correctly gets labelled as an uncouth 'hacker' (in the media meaning of the word, not the original meaning) for wanting to punch through the firewall.
And then the morons who make the majority of public opinion see the extra hoops Linux users would have to jump through to get their systems to work and think, Oh, my Windows box just works, so I guess it's better. (For example, if Windows sharing port numbers are allowed but NFS port numbers are not, then the general effect is that Windows filesharing works and Unix's does not. No amount of explaining will sway the public opinion on this. It's not based on reasoned thinking.)
And although I couched this in terms of Windows Vs Linux, the more general case is the real problem - it makes the decision of which technologies will live and which will die be entirely in the hands of the ISPs. It's the equivilent of your phone company saying "You can discuss your pets, your wife, and your kids over our phone lines, but you aren't allowed to talk about radios, televisions, or cable modems over our phone lines. And we'll be listening in and if you try to raise one of those subjects we'll cut your call off."
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
There are some exceptions, though - if you're getting a high-volume flood of some sort (DDOS attacks, Slammer worms, ping floods, etc.), it's nice to be able to turn it off at the ISP's end of the wire, because that prevents your bandwidth from getting stepped on by the attackers, while otherwise you might be unable to get any effective work done because 99% of your bandwidth is the attack.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I have always run a NAT router on my network and share whatever Internet connection I have had with my flatemates. None of them have ever even know that they have no incoming ports open, they surf the net and read their email perfectly happy and in complete igonrance. I would think that 99.99% of retail ISP customers would be completely clueless to it if they had no open ports available to them. I am a web developer and heavy net user and very rarely have a need to foward ports over to my machine, the average user just doesn't need it. If ISP were to disable all incoming ports and provide a web interface for users to open up the ports they need, I think they would find that less than 1% of their customers would ever use it.
If you don't have end user level security and leave it up to the isp, script kiddies have less work to do. They will hammer on the isp till it cracks then they'll have free access to all their unprotected customers.
Firewalling needs to be at the OS level and on by default.
I'm sorry, I can't hear you over the sound of how awesome I am.
uhmm, apart from the slick web interface to ask the user what they want, has anyone thought about the poor sodding router that has to hold all these personalized rules?
even the big cisco PIX jobbies barf at the thousand rule mark. you'd have to go for a user-wide policy which would put off all the technically competent / meddlers.
it's just not going to work on this scale, I believe. the solution is to have operating systems and small domestic 'broadband routers' have default-deny policies, and lease the ISP (no matter what size they are) to shifting packets and answering DNS, like they're good at.
You ask the average user TODAY, and s/he will give you the same answer TODAY as he would have given in 1998: "The Internet? That's that 'WWW' thingie."
I host my own email, and I use SA, PROCMAIL, RAZOR/PYZOR, etc. to help scrub what comes through the port(s). But I'm not a typical user. And I still consider that I'm vulnerable, because it's what you don't see that gets you, and my level of ignorance is STILL profound.
(NB: The funniest thing I ever saw regarding "ignorant users" is the lady a few years ago that kept yelling at everyone on Usenet to "stop sending me emails!" She thought her Newsreader was her mail client.)
Any technology distinguishable from magic is insufficiently advanced.
If you start blocking every port except 80, everything will get rewritten to use port 80. This will result in a significant increase in overhead, and *NO* increase in security.
Ports are conventions. We use certain ports for certain functions because we have agreed to . No other reason. We already see programs that don't belong on 80 using it because they need to get through firewalls. This would merely globalize the tendency, and eventually the entire usefullness of ports would be destroyed.
One can say that this is to protect the innocent, and feel good about things. But this will have as much decent result as most "protect the innocent" laws: None. And it, like most of those, will have significant negative downsides.
I think we've pushed this "anyone can grow up to be president" thing too far.
My ISP already does filter several ports for me... and it is very annoying. I have a cable modem (Charter) and they established a policy about "No running servers on a non-expensive-business line", and so they block common server ports like FTP and HTTP. Fine, not a big deal.
However, some corporate monkey heard the word "server" in relation to "mail server" and decided to block SMTP as well. This isn't outgoing SMTP (which might block some spammers), but incoming SMTP!
So, Charter has to waste disk space and resources storing my mail for half an hour, I have to jump through fetchmail hoops to pull it down every half hour, and MY sendmail has to go through ugly masquarading so I can still have working properly addressed mail inside my LAN, but have it get converted to THEIR email address outside since I have no way to point my domain's MX record at my mail server.
Long story, short point. Do you WANT this kind of corporate idiocy as the default for all ISP's? I think a far more reasonable policy is for ISP's to disconnect any customers who send out spam or virii, if they detect them. If the customer calls and asks why they were shut off, give them the answer... their machines are polluted and comprimising the security and operation of the network at large... they should clean them up or pay us $$$ to come do it for them.
Wouldn't it make sense for the ISP to masquerade all their dialup users? Sure, there are exploits available, but wouldn't that allow most dialup users an extra measure of security and the access they want without port blocking? As a dialup user, any legitimate connections back to my machine have to be initiated by me in the first place, so there is a chance for my machine to either inform the masquerade server at the ISP to allow the connections inward, or to have the remote box use the connection I established to it to communicate back to me.
Welcome to the net of 1000 lies. Upgrades are scheduled soon that should bring us to the 10,000 lies mark.
While I agree with you, the ISP has nothing to do with the packets, either. They provide a mail server, and maybe a news server. They lease the ports for people to dialup with from a large data services provider, and do the accounting. That's it.
I used to work for a large ISP, and that's all they did. Accounting.