Slashdot Mirror
Should ISPs Be The Little Man's Firewall?
Anonymous Coward writes "In a paper published today, the point is made that ISPs should filter some ports (e.g. 135) for good. I guess given what everyone sees hitting their various firewalls these days, this may make sense. But wasn't the Internet supposed to be 'open' at one point? Or are we to the point where Internet=Web (and maybe AIM). The author of the paper is operating DShield and I guess has some insight into this issue. He made the same points before on various mailing lists."
While I agree with the point I think that power users should be allowed to call up the ISP (maybe even at initial sign-up) and be allowed to request that the ports remain unblocked. Otherwise, the internet *will* become just the web and AIM for everyone if they like it or not.
I know for certain that MSN does. I had a friend who found he was unable to use a work SMTP relay and had to resort to using the MSN relay.
As for me, I use Qwest and have found that they will not allow me to keep an open TCP session, meaning my SSH sessions constantly stall.
Calling tech support resulted in an entertaining conversation during which the support guy insisted that if I could "browse my webs" everything was working.
Oh well, time to change ISPs...
This is another case of where techies do not think about things from the customers point of view. Of course most slashdotters will want their ports open - the customers on the other hand dont know what a firewall is, what the implications of their ports are etc - quite frankly they shouldnt need to.
Filter by default - if you need your ports or you want to do your own firewalling then get the "advanced user" account that costs less but requires more responsibility from the user.
If anything this is just an opportunity for ISP's to make another value added service to sell.
with the Internet being so much popular these days, I think that filtering some ports can save a lot of hassle, many people use the Internet just to browse the web, read email and chat, so why not?
On the other hand, ISPs may add an option to get an advanced connection, in which all the ports are open.
my 0.02$
The IT section color scheme sucks.
I am paying for raw internet bandwidth and that is what I expect to get. I will not tollerate any filtering or restrictions on the use of my account.
Any ISP that mandates filtering should also provide significant discounts to their customers as they are no longer providing a full raw feed. Of course, this will never happen as the filtering will increase the ISPs operating cost so the end result will be less service at a higher price.
Block my ports and I move to another ISP. If enough ISPs start blocking ports to the point that I can no longer find one that meets my needs, then I will open my own again because the demand for the small ISP will be back.
Well, as an ISP subscriber who found 135, 445, and others blocked for Blaster, I wasn't happy... I wanted to see how many hits were coming in on those ports, it's not your job to protect me, it's mine.. So although you are doing the idiots a favor I guess, it shouldn't be at the expense of the non-idiots... surely your EULA says nothing about protecting the users, so why? I think my local police department should protect me from computer viruses
This is a great idea. Along with the firewall on my individual machine, I would enjoy a firewall run by the ISP that would allow me to create the rules. That way I am able to block packets that require a lot of bandwidth (i.e. DoS) at the ISP server, so the connection to my ISP doesn't slow because of it.
...but I suppose when TCP/IP was created, noone thought of the Internet as today. There should have been a section of ports dedicated to "LAN software", which by common agreement would be dropped by ISPs.
It would keep a lot of services that aren't supposed to go outside the home where they belong, and if you didn't want that, you could put the service on a "public" port. What is happening now is basicly patchwork by individual ISPs, blocking ports but with little coordination.
I want to have a free Internet where you can use any port you want. But there are also quite a few services that shouldn't be accessible from the Internet too, customer-side firewall or not. Latest and greatest is the Messenger service SPAM. Why would such a service be open to the world? But there's no "private" port you can put it on where only LAN requests come through. Not unless you do IP filtering, but wouldn't it be just as easy to have some port range that you simply know won't be sent to/recieved from by your ISP?
Kjella
Live today, because you never know what tomorrow brings
Sure this starts out helping the net in general and preventing everything from going to hell when the next virus comes out.....but what if the RIAA after some successful lawmaking decides that whatever ports Kazaa is running on are bad/illegal and must be blocked? Or what if program X runs on port Y and whatever group doesn't like it decides to block it? Obviously there are other ways around it....but not everybody knows those. Maybe I'm just being paranoid....but with some of the things that have happened lately, who's to say.
Buy Steampunk Clothing Online!
I disagree. Though it's technically against the contract, my ISP generally looks the other way while I run my own mail server. As long as I keep it secure I don't see what the problem is. And ya know what -- I NEVER get spam. In fact, if everyone ran his or her own mailserver it'd make it a lot harder for spammers. Instead of being able to send 4 billions messages a day to Hotmail and Yahoo they'd have to targer each individual SMTP server.
I had opened the article specifically to make this same comment.
Just like self-administered hosting services have successfully provided "servers for the little man" through virtual hosts and web configuration interfaces, ISPs could provide security for the average joe.
Integrate the UI well with your webmail (spam-filtering, etc) and other services, and your ISP portal can actually be more useful than as a bandwidth test.
Freedom is the freedom to say 2+2=4, everything else follows...
Are all you pro port blocking people thinking about the fact that the RIAA would use this same concept to try to have ISPs block any ports that they wish? Once it becomes acceptable to block a few ports, it will not stop? Once taboo against blocking is lifted, all it will take is a little money in the right political lacky's pocket. That is the real problem with this. Give inch they will steal a mile.
so what your saying is that everything incoming should be blocked, save port 25, 110 (consumers need not have any other incomnig traffic)
right, so anything (games, aim, random non-standard website) that runs on a non-standard port should be blocked, genius idea. try explaining to joe schmoe why quake 3 wont work correctly because you dont want him to have to update his system, see what response you get (wait for a few minutes for it to sink in, you'll know its sinking in when the blank stare goes away)
and assuming that you will only block a few nominal ports, how long til the unblocked ports become commonly used, and hence exploited ?
if you want a block everything approach then you would be killing usability, if you want a block-minimal approach then you would be applying a band-aid to a much larger issue (issue=morons+script-kiddies).
and yes users do care about usability, otherwise they wouldnt run windows.
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
Why not take this a step further by blocking anything that the user did not request in a NAT-like fashion? Broadband router users have been enjoying the security that this provides for ages, and I see no reason why everyone else shouldn't, too.
Security-wise, this would block many worms (both present and future) because they would simply be unable to connect to any system. Besides that, it would also block backdoor trojans like NetBus and BackOrfice because, although they'd still be listening, no one would be able to connect to them and control the user's system.
To address the NAT-type problems that this would create, ISPs could automatically make certain exceptions for port blocks that interfere with popular games and whatnot. For advanced users, there would be a control panel (much like those built into NAT firewalls) where they could unblock any or all of the ports.
I made a PHP/MySQL library that prevents SQL injection & makes coding easier!
First, most of my ports are being hit by my ISP.
Second, inevitably ISPs will claim it cost them to open up the rest of the ports, and you WILL get charged for it...
Third, cold day in hell when broadband is competitive to a majority of people in the USA.
I have 2 windows boxes and have yet to get infected. The way I see it, those that get infected eventually die off... Leaving only the fittest of boxen.
I worked at a large web hosting company for many years, so I've dealt with these issues before. Here are my predications.
First, ISP's and web hosting companies are going to increasingly block ports. You can complain all you want about this, but it will definitely happen. 99.9% of the customers only care about SMTP, HTTP, FTP, SSH, TELNET, POP3, and IMAP. I may be missing a couple, but you get the idea. On a percentage basis, there is so little demand for the other ports that I suspect most of the larger ISP's already block a good deal of ports. They are just playing the odds. The only way you will be able to avoid this blocking is by co-locating a machine (which is what I will probably do). Even then, you may have to shop around.
Second, an increasing number of applications will just tunnel through another port. We already see this trend by companies (like www.no-ip.com) that sell the ability to reflect email back into port 25 from another port. This is useful if your ISP blocks outbound port 25 (both AOL and Earthlink do this). This leads to my third predication.
In the future, all traffic will be port 80. I'm being partly facetious with this predication. But it may not be as far-fetched as it seems at first glance.
The best solution is to provied tiered services for residential customers. The default (and bottom) tier is to firewall the bad ports. Those people who want to run basic services (such as web and mail) should be able to sign up for the second tier. This would provide basic firewalling and leave open the ports for web and mail. The third tier would be an open pipe and the end-user claims all responsibility for the use of that pipe. Third tier users would be on their own network separate from tiers 1 and 2 in case their IP ranges get placed onto RTBLs or some such thing.
The common consumer just wants cheap internet access and will pay for the bottom tier and get the benefits of protection. Cocky /.ers would pay for the top tier (probably at a premium) to get what they want. Then they can shoot themselves in the foot.
Forget opting out. What happens when your ISP filters everything except port 80 and MS decides that they need to use the port for their services? How will you filter blaster, or something of it's ilk when it's on port 80? Why do we continue to allow the manufacturers of defective products to get away with producing them without repercussions.
Oh, Wait, MS is already talking about doing RPC over http.
so they can do whatever they want.
C'mon, mod this down as a troll, just so you can prove my point.
I don't think port filtering is the answer for exactly the reasons you mentioned. Better that ISPs completely disable ports by default and provide a mechanism for knowledgeable users to selectively enable ports, with an accompanying waiver clearly stating that security is now solely the user's responsibility. This would protect people who can't or won't update their systems while at the same time allow people who know what they're doing to go about their business. By the same token though, I think the ISP should be able to revoke this right in case things go wrong. Say a supposedly knowledgeable user is infected X times in 12 months; this shows that he does not in fact know what he is doing, and should have the port in question blocked permanently.
the coolest club on
If my ISP wants to filter things such that I cannot run a server from my house, that is okay. I can live with that, since I'm buying residential service and not business access. Uploading is throttled down to 64kbs anyway (I'm on a cable modem), so it would make a shitty server point anyway.
But the first time my ISP limits what I can receive without giving me the option of turning it off will be the last time I use my ISP. Its not their place to determine what is "good" and what is "bad" for me, nor is it their duty to protect me from my own stupidity. Babies who need their hands held and cannot think for themselves can use AOL.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
The ISP is to the user what the backbone provider is to the ISP. The ISP should no more be filtering ports than the backbone provider should be filtering ports. If users not knowing what they're doing is becoming too much of a problem, or is putting other users at too much risk, then the ISP should be doing what we require for cars: users must prove a certain level of knowedge and ability to safely operate a computer/car before they're allowed on the Internet/road.
Unfortunately, this isn't an ideal world. Until people stop whining that, effectively, "Why do I have to know how to drive? I just want to go places in my car!", we may have to live with this.
Let me guess.. iiNet bleater? :)
Really though, why should an ISP provide a shell account when they have webmail? Opera was getting abused by people to get around traffic limitations, just like the new shell.iinet will be. Almost no other ISPs in Australia and pretty much none in the US offer shell accounts. It's not an ISPs core business. If you want a machine you can access remotely, get a permanent connection and set one up yourself.
Yes! Unlike vendors of secure operating systems, Microsoft assumes that every user will need to use every MS networking and file sharing service, and opens up all the insecure ports for it. They need to turn every port OFF by default. There needs to be a nice Windows GUI to turn each service on, with options like this:
Option says: Don't share files (Recommended)
Does this: turns off all SMB-related ports
Option says: Only share files to your own network
Does this: allows SMB ports only to 10/8, 192.168/16, and 172.16/12
Option says: Only share files to certain computers or networks (Advanced users only)
Does this: allows SMB ports only to IP ranges the user specifies
Note that there's no option for "open everything up," since that would tempt lazy or clueless people to use it, and it can already be done in the third option by allowing 0.0.0.0/0. There should be something similar for management things like Remote Registry.
Until Microsoft gets its head out of its ass, we might as well have ISPs use cable/DSL modems with built-in firewalls with a really easy web interface. That way, they can block all ports in and 25 (spam viruses and email worms) and 135 out (MSBlaster) by default, but allow the user to open any of it back up.
In the real world, though, with an insecure dominant OS and ISPs that don't care, we're screwed.
It's an operating system, not a religion.
the cable/dsl modems themselves should have built in firewalls. setup secure by default. if the user wants to reconfigure or disable it, they should be allowed to do so.
#!/
I really can't believe how overcomplicated people are trying to make this, there's a simple solution that looks something like this:
:D
1) Customer dials in to ISP and is port-scanned
--vulnerability found? Go to solution 4.
2) Customer sends mail through ISP's smtp server - a simple scan for virus infection is performed.
--infected? Go to 4.
3) Customer has been connected for multiple of 24 hours and is portscanned
--vulnerability found? Go to 4.
4) All web and mail traffic from/to the customers machine from the ISP is suspended except http/ftp access to designated update and web-virus scanner sites, whenever they try to hit a website they are shown "Your system is infected with blahblahblah, the patch is here and this is the only piece of the internet you're going to see until you install it - once you have you'll be scanned again and the block will be automatically lifted"
Badda-bing, no need to block any ports unless the user is infected, user *knows* when he's infected and user also is led by the hand to the patch. ISP's update their vulnerability-list (a la Norton liveupdate) every day/week, and they slap their own logo/theme on the pages it generates. No more CodeRed/Sircam/SoBig/Nimda/Blaster/*whatever* problems, ever again.
Speaking as a programmer, this is fucking *trivial*, so why all the discussion of blocking people's ports across the board? Seriously, have I overlooked something really dumb in the above, because that to me seems like the ideal/only solution.
The only people who can fix these problems *for good* are the ISPs, and it's painfully easy (see above) for them to do it *without* blocking all the ports I use for dumb games
When you write internet software now, you have to supply port 80 tunnelling so that people behind firewalls can use them. If you close all ports except 80, it does nothing except add a trivial layer of complexity to writing networking code, whether the code is malicious or not.
This is like arguing that instead of locking all doors and windows, all we should brick them all up except for the front door, but leave that one open because we're too lazy/foolish to operate the lock (or, we can't figure out how to make a lock that's easy enough to use).
Bits don't care what port they travel over, and software/viruses can be configured to send/receive them over any open port. What we need are simple locks.
I'm the manager of a small LAN, and i automatically block all incomming and outgoing traffic from spyware sites. even users on the network who are infected with gator don't even have a clue i'm doing this... ignorance is bliss...
i agree that port 25 blocks ARE a pain to end users, it DOES cut down on the sobig attacks, and the dumb ass make money at home by spamming on your dsl /dialup connection. About a month or two ago cox cable blocked port 25 on their cable users, and since then, i've seen ZERO spam attempts from their network. Compare that to rr.com or attbi.com, which i've had to ban their entire network sans the real smtp servers at my firewall because of the massive worm and spam attempts.
Lawyers, MBA's, RIAA? A jedi fears not these things!
As admin at 2 cable headend routers after Blaster arrived the new policy has become blocking of ports 135, 137:139 and 445. We also use transparent squid at those routers and route port 80 through it.
.pif/.scr on detection with the rest passing through a virus scanner, all by default. Those 2 extensions can still be sent via .zip if they are legitimately sending those files.
:)
We will let those ports pass-thru for anyone who requests it, so far a couple of clients have been routed around the squid proxy but nobody has asked to have the other ports opened up.
Instead I think the customers are happier knowing that we've largely eliminated worm outbreaks on these ports and additionally have eliminated messenger spammers as well.
Sorry, but the majority of customers outweighs the minority who may wish to open those ports for some reason, considering a good percentage of clients are clueless on updating Windows and are easy targets it is the best method.
The mail server drops
Essentially we got tired of the cost of cleanup after the outbreaks, the attachment stripping for email was because the AV vendors were hours behind the Sobig.F outbreak.
We don't however block port 80, 25, etc, yet
Telecom New Zealand currently offers its business customers a service that allows the customer to configure their own VFW (Virtual FireWall). Changes made to the config of the customers VFW via a https web server are immediately sent to the firewall (inside the Telecom network). While the customer does not have the ability to change the outgoing NAT address of the VFW most other options one would expect from a firewall sitting in the office are available such as; selecting Src/Dst IP, Protocol, Src/Dst ports etc. Incoming services such as customer managed web servers etc. can be set up by the customer though this does require you to pay for an "extra" Public IP address. The firewall follows state and is designed to support large numbers of unique customer networks with overlapping private address space. All in all its a very sexy thing. Sadly there isn't much technical detail on how the system works but the sales blurb makes for interesting reading. http://www.telecom.co.nz/securebusinessinternet/
I know this is directly counter to what has been previous posted, but I'm sticking by it. I work for a small isp. All our dialups are already filtered. It's outlined in our TOS.
None of our dialup cusomers where hit with blaster. We filter these ports on our dialup for the same reason we filter all incoming email for virii. It's a sensable service, and a good default. Some of our customers request that certain ports be unfiltered, and with few exceptions, we are more than happy to (one exception being outgoing 25, it's our smtp or nothing. We don't abide spammers).
Remember, tech savvy customers will know to request changes, and the unsavvy ones will be best served by being protected. People are sick and tired of people in the know doing nothing to protect them, sick of the virii and the worms, and the spam, the popups and the hassle and the crap. The more of the that you can keep from effecting them, the happier customers you have.
I think ISPs should notify and warn their users if their internet connected computer seems to be infected.
They can link the ip-address with the e-mail address and have these users notified automatically with instructions included how to cure the infection. Most users don't even know that their computers is infected.
If all ISPs notify their customers immediatly in such cases, the alarming rate of spreading will be prevented.
In my opinion it is the ISP's obligation to implement such a scheme: it is simple, cheap and effective. It should therefore become mandatory.
I find in my firewall log (adsl/cable) network blocks with an infection percentage of up to 15%! Which proves my point.
-
hsx
Why don't make that question the next /. poll?
[ ] Yes mam, filter everything!
[ ] Go away, no!
[ ] Filter Windows-ports
[ ] Filter all non Windows-ports
[ ] Help! Cowboy Neal triggers all my Snort-alerts!
Alex.
You look like a million dollars. All green and wrinkled.
I think you are mistaking bandwith glut and oversupply of resources for information technology advancements.
For example most of the countries mentioned have had QoS aware backbones with major ISPs for 7+ years. US still does not have one (I do not count Level3 abuse of diffserv as such. It is too crude). VOIP as a major means of international connectivity has existed for 6+ years. So on so forth.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
I'm seeing a lot of people on here complaining that they want their ports open...but you need to remember that we are not indicative of the "average" user.
Like it or not, the Internet no longer consists entirely of technically inclined people. We are outnumbered by folks who just want to read email and surf the web...and don't even know what SSH is.
The problem is that their ignorance affects the entire Internet community. If a few thousand people get infected with the latest worm and start DDoSing a server, or bogging down the mail relays, everyone is affected - even the technically inclined people who were smart enough not to get infected.
Your average user just wants an appliance, a tool they can use without too much effort. They don't know about ports, and don't want to. Honestly, they shouldn't have to know everything that we do - it isn't their problem. Just as I don't know everything that my Doctor does...they don't need to know everything that their ISP does.
For this average user, I think port blocking would be a godsend. Honestly, there really aren't all that many applications that require incoming connections to your home machine....most of the time it is outgoing. Shut down the ports, protect the "average" user, and then let those who know what they're doing open their ports back up.
yrs,
Ephemeriis
"Work is the curse of the drinking classes." -Oscar Wilde
Apparently you don't understand most firewalls. If your computer makes a connection first, any incoming traffic from the site is allowed regardless of which port it responds. We are talking about blocking incoming unsolitied traffic. Quake 3, AIM, and any non standard website (which only geeks generally go to anyways) will work. Nothing needs to be unblocked. If you have Windows lying around somewhere, installed it, go get ZoneAlarm www.zonealarm.com , and then trying doing Quake 3, AIM and your non standard websites. After allowing your programs to pass through ZoneAlarm, let me know if you have any problems. I bet you won't unless your running servers which most people DON'T.
ahh... here's how I see it... your ISP does not HAVE to offer you service if they don't feel like it... they can cut you off at any moment... of course, they'd have to quit charging you as well... so... a GOOD ISP would offer two options... "WE handle the security OUR WAY" or "YOU handle it YOUR WAY"... if you choose the 2nd one they port scan you during your idle times, compare those scans to un-protected systems, and they can cut your service if you are running an unprotected PC because it is THIER NETWORK and they don't want to run the risk of viruses and worms overwhelming THIER NETWORK... THAT IS THIER RIGHT... and that is how I would run my network... you order protected (filter4ed/firewalled) service, you pay a couple bucks more, but you don't need to run a firewall... you order open service, you'd BETTER run a firewall that blocks any and all ports you aren't going to use; or we'll close your account, and you won't be opening one with us again... if every ISP did this, people would either learn about security and let the ISP do it, learn about security and do it themselves, or eventually (and rapidly) be forced off the internet.
I mean, come on... the bandwidth is there in the US for EVERYONE to have a broadband connection... and a damned fast one at that, cheap... it's just that most dialup ISP users (and quite a few broadband users) are infected with so many goddamned vir(ii/uses) that bandwidth use is on average twice what it would be otherwise!
Argue with me... my karma is so shitty I could only reply once... or mod me up and help fix my karma... if you enjoyed this post and have mod points, please mod me up... there's much more where this came from... THANK YOU!
Error 666 - Satanic SCO code found in your Linux kernel.
thank you for your response and advice.
/. for 6 hours straight already today... and this is my 2nd post... just finished reading the articles and posts associated with them (mind you, i only read the one that were of interest to me)... if i took the time to formulate my thoughts as you said above (and I know i should have), my session here today would have taken another hour of my life...
/. and i'm sure some ov those people get mod points from time to time)...
the main problem i seem to be having is that, when I make an attempt at a beowulf cluster joke or an overlords joke (yes, I know they are lame now, but still amusing if included with an actual post), i get modded as a troll... the remainder of my posts have either been passed over by those with mod points, or were modded +1 funny, informative, or interresting...
problem is, now I can only post twice in 24hours and, as such, am almost afraid to waste one of my 2 daily posts... unless i feel very strongly about something (such as this article), i'm not likely to post anythig anymore... and if i feel strongly enough to post, i am likely not going to be able to formulate my thoughts that clearly and be able to still make the post and have time to continue reading all the day's articles and still have a productive day... example - i've been sitting here on
if I could make more than 2 posts a day, i'd more likely make shorter posts... just more of them, attatched to other posts where they would be more relevant...
does Karma time out after a while? will my karma get better if i simply lay off the beowulf clusters and overlord jokes long enough?? and conversely, will someone karma slowly DROP back to none if they have good or excelent karma and don't have any posts modded up for awhile? for fairness, that should be the case... first, it would shut me up for a bit... second, it would protect people who are unfarily modded down (i've seen it before... people have foes on
I know this post is OT... moderation is not needed... and those who would consider modding this post down need to read it again.
thank you for your time
Error 666 - Satanic SCO code found in your Linux kernel.