Slashdot Mirror
Should ISPs Be The Little Man's Firewall?
Anonymous Coward writes "In a paper published today, the point is made that ISPs should filter some ports (e.g. 135) for good. I guess given what everyone sees hitting their various firewalls these days, this may make sense. But wasn't the Internet supposed to be 'open' at one point? Or are we to the point where Internet=Web (and maybe AIM). The author of the paper is operating DShield and I guess has some insight into this issue. He made the same points before on various mailing lists."
And not something you get by default and then have to opt-out of - something you get offered and must opt-into. I don't care if port X of all the clueless people's machines get abused, if I want to use port X, I'm going to.
...Also, I didn't know Buggalo could fly.
I don't want them filtering anything for me thank you. I can take care of myself. Next thing they'll be stripping attachments off of email and blocking content. Let internet Darwinism take it's course, only the strong will survive,a nd when all these people get tired of the insecure crap that windows is, maybe, just maybe they'll vote with their dollars to not support MS anymore.
If my ISP gave me a slick web interface that allowed me to open or block ports specific to when I connect, I'd be all for it. Set the defaults to block things, to protect against worms and the like, but if I want those ports open to do something, it should be easy for me to open them. I think that's the perfect middle ground. People who don't know (or care) will be protected. Those who care can easily do whatever they want. The ISP just has to make it clear where the options are.
Blocking all other ports will just mean worms and virii will have a permanent effect. Each wave of them will kill off a port. When we run out of ports (because something will be written for each one) then the internet must shut down. Some redundant system.
Karma: Excellent^(-t/Tau), Tau=Wittiness/Trollishness
It will give lusers a false sense of security. I happen to travel with my notebook and one of the worst places where I get hit by viruses is not my home ISP or work, but hotel broadband connections in Asia.
If my ISP was protecting me, I would be complacent and I can see myself not updating the scanners / firewall on my notebook and getting hit the next time I went on the road.
The next issue is liability. If an ISP claims to protect and a luser gets infected, they're going to sue (atleast in a north American situation).
While I agree with the point I think that power users should be allowed to call up the ISP (maybe even at initial sign-up) and be allowed to request that the ports remain unblocked. Otherwise, the internet *will* become just the web and AIM for everyone if they like it or not.
/really/ get some extra cash. And those people with residential ISPs (e.g. DSL) will be SOL because arguing with the phone company about what ports are blocked will be totally ineffective -- and since they typically have a monopoly on the lines, there's not much you can do. Remember when shell access was standard? Same deal.
Well, what's going to happen is: The ISPs will eventually block most ports, "'cause most users don't need 'em." and that'll help some people. "Power users" will be able to pay an extra fee to get the ports unblocked - a "setup" or "administration" fee. Probably even a per-month fee, so they can
This will suck for a while. Especially when they block port 22 at first, because they forgot about SSH. Then eventually most things will be re-written to tunnel through port 80, making everything more complicated (multiple servers switching on the same port). And of course, the worms will follow.
The point is, there is a reason these ports exist in the first place -- they allow some flexibility and simplify communications. What they're really saying is "We don't like the way the internet is designed. So we're going to break it. Sucks to be you."
Z.
Actually, there is probably a better way yet: An ISP can block it's ports if it wants to, but it must tell it's users, and there needs to be at least two different ISPs in any market.
Some ISPs could advertise that they block $a, $b, and $c, as a security measure. If the customer doesn't want to think about security, they go with those ISPs. Others could advertise they allow access to the entire net. I would sign up for that, and do my own security.
Of course, for this to work there actually needs to be competition in the ISP realm. Not a given at the moment.
'Sensible' is a curse word.
Blocking egress port 25 ought to be standard for all residential ISPs.
Why should an ISP block a customer from sending an e-mail message through his employer's SMTP server? Why should an ISP block a customer from sending an e-mail message through a subscription SMTP server?
Will I retire or break 10K?
I spend from 10pm last night til 4am on a conference with the worst bandwidth provider in arlington texas because one of my clients was getting his one of his T1 lines bombarded by a ddos attack. The concept of dropping non-source routed packets was foreign to them. I guess the point I'm getting to is, there are some things the guy on the other end of the T1 line can not do for himself. Even if he had the best bridging packet filter in the world between his T1 and his machines, the pipe would still be screwed at the router above him. So yeah, you bet your ass the provider needs to step in when things are happening at their level. And if they are selling T1 lines to people, they should have the kind of talent in place and IDS systems in place to detect attacks and crap of this nature and do something about it.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
- ISPs start blocking ports
- All software uses port 80
- ISPs start using more complex and intrusive filtering that blocks everything that doesn't look like MSIE
- The internet is officially shit
I can't fucking wait.Game... blouses.
Well, I guess the underlying assumption here is that the software using the ports 135, 137, 139, and 445 is broken beyond repair either from the security perspective or then the software is very hard to configure properly (because it seems people accidentally misconfigure it to be open to the entire Internet). Either way, the suggested measure would be an unnecessary limit of free communication for no other reason than a common implementation of certain protocols.
If it is possible for clueless users to accidentally run software that puts their computers at great risk, then I say there is a serious usability problem here. If the software implementation and/or protocols itself are insecure, providing a better implementation/protocol is a step towards better future. Trying to shift the responsibility to ISPs isn't the way to go.
Like hell there isn't.
I like being in charge of my own e-mail server. I don't send or receive a large amount of e-mail, and I'm on DSL so I'm online all the time. Sure, there are hosting companies that will give me full control of the server. They also cost way more per month than I'm interested in spending.
The last thing I need is some punk like you telling me "you don't need that port" and blocking port 25.
Nathan
Then you (as well as your employers) are very short sighted. I could well be using those ports. Many software programs that dynamically allocate ports likely will use some ports you block, and users applications will just fail "randomly". And, of course, your tech support people will deny all knowledge of it. Or, in the case of well known ports such as port 135 mentioned in the original posting, I've actually used port 135 to share entire windows directory structures across the Internet (between a system in Indiana and one in North Carolina). It was slick and very handy, although too few understand how cleanly (and safely) this can be set up and made to work. How can slashdot readers really advocate ISPs blocking the utility of the service we buy because some people who also buy it are too lazy to learn to use it properly?
And how can you demand people to learn computer security if you think it's excessive to require you to opt-out from the isp firewall?
I'm sorry, but you're the one being short-sighted. You obviuosly know what you're talking about when you say you need port 135 open, etc. Now think about users without any knowledge about these things. Think, for instance, a high-school teacher acessing the internet from his house. Why the hell would this person need access to port X Y or Z?
As many have mentioned here, these services should be requested by people who understand what they're doing. For the rest, it just doesn't matter.
It should be up to users to protect themselves, or it should be an OPT-IN value-added service provided by the ISP, even if it costs extra.
I pay for bandwidth, plain and simple. I want every port open for whatever use I so desire, with no blockage from the ISP period.
Some morons at certain ISPs recently decided to block all pings, period, on their broadband networks. I run a small computer consulting business, one of my specialties is ipsec-connected subnet-to-subnet VPNs for small businesses with dynamic IP broadband connections. The scripts that make all this work depend(ed) on being able to ping various places to determine if the internet was up, if the peer host was up, and if the tunnel was up.
Since someone didn't RTFM on stateful packet filtering, and figure out how to safely allow ping traffic while blocking DDOS attacks, all my scripts broke (well, among those home users using those certain ISPs that connected into the office). Who in the seven hells ever thought an ISP would block ping!!! I can see a popular website doing it, but an ISP?!? Across their entire network?!?!? Baka!
Anyway, I had to quickly rewrite the scripts to pull entire webpages down to test connectivity, and dump them into the bit bucket, instead of nice, tiny little ping packets. (Let's see 'em block http) Wastes bandwidth, and less elegant too! wheee!
Cookie-cutter broadband ISPs without the technical knowledge to properly configure their routers are NOT people who I want determining what ports/protocols I can and can't use. I pay for bandwidth. Leave my ports alone!
Styrofoam IS biodegradable, you're just impatient!
However, it is the ISP's job to maintain service quality for the other thousand people served by the same point of presence that you use. It is its job to protect its service from DoS attacks, to ensure that those who don't have a worm are able to use the service.
Therefore, when a worm outbreak borders upon DDoS, it is very likely in the ISPs' best interest to interfere with it. They should do so minimally, because their purpose in so doing is to minimize its effect on their business and responsible network operators -- not to Quixotically defend irresponsible network operators.
At different stages of an outbreak, and depending on the specific behavior of the worm, an ISP's best response may differ. For instance, if a tiny number of customer hosts are infected and are blasting huge amounts of traffic, the best response may simply be to remove them from the network, or block the relevant ports on the proximal router.
If they call and complain, the first-line technical support can read off a prepared statement, which (when boiled down) says basically this: "Your computer was being used for a Federal crime, breaking in to other people's computers. We shut down the network to protect our other customers from this criminal activity. It's possible your computer was infected by a virus that was being used to perpetrate this crime. Because of this possibility, we didn't call the FBI and report you as the source of the criminal activity. It's your responsibility to keep your computer from being used to hurt other people." They can then go on to offer, for a small fee, a CD of licensed antivirus and worm removal software -- or, for a larger fee, a visit from a technician who will run the same. Connectivity is not restored until the system is clean, whether by this means or any other.
In the case of a widespread outbreak, where more than 5-10% of the client systems are infected, it's probably more expedient to just block the ports on the core routers first. Then find a way of enumerating the infected systems and dealing with them, if it's deemed worthwhile.
Of course, any such measure should be announced. Exactly how to announce it I'm not sure, since many ISP users don't use an ISP mail account (and the ISP must not send spam), nor do they read the ISP's local newsgroup or visit the Web page.
In the case of a local ISP, the newspaper is always an option.
How do you know ahead of time what ports people need? Do you buy every online game, to make sure their new implementation of game protocols over UDP works in your system, or do you wait until your users are complaining (and leaving) because you don't have time to keep up, and you're blocking their game? If your ISP suddenly blocked all P2P (which is what your proposal would do), would you move ISP's? If your answer was "yes," why do you think anyone else would stay, and why would anyone in their right mind run an ISP that way?
You may *think* you know what users need. You're probably wrong, though.
And where exactly is the rule written that consumers cannot or should not use port 25?
I guess you don't think we should serve http ports?
And no telnet/ssh either. Remote administration is the kind of thing a consumer doesn't need.
When I pay for my "consumer-level" DSL, I have some expectations that I'm willing to compromise on.
I know the tech-support people will not consider me a priority. I know if they have network problems, they will not work the extra mile to minimize my downtime. I know I cannot talk about "downtime" with them with a straight face, because they don't have those kinds of obligations.
I do expect, however, to be able to send and receive little packets of data every once in a while, at a certain speed, over whatever ports I want. I expect my paltry email packets to be dealt with equally with my fancy packets of video and audio (which certainly cost more bandwidth to my ISP, spam or no spam).
I do expect that my use is not restricted by "whatever is likely" other people need or do.
I agree with you that most users should have port 25 blocked. Actually, I think most BUSINESS users should have port 25 blocked too... a lot of small offices do not need, and do not have, their own email server but were happily sending emails through their business DSL lines due to SoBig.
Let BOTH kinds of users specifically remove that block. Force them to restrict it to a specific email server (or a list) if you want.
If they need it, whether it's a geek or a full IT department, it wouldn't be a problem because they know what they're doing.
But don't assume that a consumer never knows what he's doing, or that a business necessarily has a clue.
Freedom is the freedom to say 2+2=4, everything else follows...
And yet the most common complaint I hear from people is how they paid for lots of bandwidth but they're always the victim of lag and dropped packets. Blocking ports 135-139 would eliminate a substantial amount of the background "noise" that's taking a bite out of your bandwidth.
If someone *needs* to share 135-139 over a public network then they should be using a VPN anyway.
If the approach is "opt-in", any new Internet service in the future is going to be DOA because Joe Clueless is going to download the new apps, find out "they don't work", and isn't going to contact his ISP where the problem is.
The other problem is that any ISP big enough to have a clueless "first line" help desk isn't going to be able to handle "please turn this port on" inquiries from Joe Clueless and will be even less able to handle them from anyone with a clue.
Do we have all the Internet services we're ever going to want?
Sacrificing future technological possibilities just to keep the current Net running properly isn't exactly the sort of thing we want if we want to do interesting and maybe profitable high-tech things.
Port 135 and the most commonly abused other ports there's a case for blocking by default.
Tech Public Policy stuff
If one is on a dialup, it's really handy to be able to go upstream of one's mail client in order to block the multimeg file attachment some spammer or clueless friend thinks I need.
A shell account saved my ass when Sobig.F hit.
Some moron from dsl.net with an infected box hit mine with viral spams by the thousands on top of the rest of the Sobig viral spam I got. Being able to configure my .procmairc file at my provider made it possible for me to shitcan everything with a .scr or .pif before I downloaded it via mail client. Without the shell, my account would have been useless to me for weeks and having my ISP clean it out would probably have cost them hours, i.e. hundreds of bucks worth of sysadmin time. With it, I pretty much took care of myself.
One should not have to run one's own mail server in order to do this. A shell is a good thing even for an ISP in the hands of those who can use it properly.
This doesn't mean that users necessarily need to get one by default, though. Personally, I don't ever intend to get an internet account that doesn' t have one.
Tech Public Policy stuff
There are some exceptions, though - if you're getting a high-volume flood of some sort (DDOS attacks, Slammer worms, ping floods, etc.), it's nice to be able to turn it off at the ISP's end of the wire, because that prevents your bandwidth from getting stepped on by the attackers, while otherwise you might be unable to get any effective work done because 99% of your bandwidth is the attack.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks