Slashdot Mirror
Should ISPs Be The Little Man's Firewall?
Anonymous Coward writes "In a paper published today, the point is made that ISPs should filter some ports (e.g. 135) for good. I guess given what everyone sees hitting their various firewalls these days, this may make sense. But wasn't the Internet supposed to be 'open' at one point? Or are we to the point where Internet=Web (and maybe AIM). The author of the paper is operating DShield and I guess has some insight into this issue. He made the same points before on various mailing lists."
While I agree with the point I think that power users should be allowed to call up the ISP (maybe even at initial sign-up) and be allowed to request that the ports remain unblocked. Otherwise, the internet *will* become just the web and AIM for everyone if they like it or not.
This is another case of where techies do not think about things from the customers point of view. Of course most slashdotters will want their ports open - the customers on the other hand dont know what a firewall is, what the implications of their ports are etc - quite frankly they shouldnt need to.
Filter by default - if you need your ports or you want to do your own firewalling then get the "advanced user" account that costs less but requires more responsibility from the user.
If anything this is just an opportunity for ISP's to make another value added service to sell.
I am paying for raw internet bandwidth and that is what I expect to get. I will not tollerate any filtering or restrictions on the use of my account.
Any ISP that mandates filtering should also provide significant discounts to their customers as they are no longer providing a full raw feed. Of course, this will never happen as the filtering will increase the ISPs operating cost so the end result will be less service at a higher price.
Block my ports and I move to another ISP. If enough ISPs start blocking ports to the point that I can no longer find one that meets my needs, then I will open my own again because the demand for the small ISP will be back.
I had opened the article specifically to make this same comment.
Just like self-administered hosting services have successfully provided "servers for the little man" through virtual hosts and web configuration interfaces, ISPs could provide security for the average joe.
Integrate the UI well with your webmail (spam-filtering, etc) and other services, and your ISP portal can actually be more useful than as a bandwidth test.
Freedom is the freedom to say 2+2=4, everything else follows...
Why not take this a step further by blocking anything that the user did not request in a NAT-like fashion? Broadband router users have been enjoying the security that this provides for ages, and I see no reason why everyone else shouldn't, too.
Security-wise, this would block many worms (both present and future) because they would simply be unable to connect to any system. Besides that, it would also block backdoor trojans like NetBus and BackOrfice because, although they'd still be listening, no one would be able to connect to them and control the user's system.
To address the NAT-type problems that this would create, ISPs could automatically make certain exceptions for port blocks that interfere with popular games and whatnot. For advanced users, there would be a control panel (much like those built into NAT firewalls) where they could unblock any or all of the ports.
I made a PHP/MySQL library that prevents SQL injection & makes coding easier!
First, most of my ports are being hit by my ISP.
Second, inevitably ISPs will claim it cost them to open up the rest of the ports, and you WILL get charged for it...
Third, cold day in hell when broadband is competitive to a majority of people in the USA.
I have 2 windows boxes and have yet to get infected. The way I see it, those that get infected eventually die off... Leaving only the fittest of boxen.
Let me guess.. iiNet bleater? :)
Really though, why should an ISP provide a shell account when they have webmail? Opera was getting abused by people to get around traffic limitations, just like the new shell.iinet will be. Almost no other ISPs in Australia and pretty much none in the US offer shell accounts. It's not an ISPs core business. If you want a machine you can access remotely, get a permanent connection and set one up yourself.
the cable/dsl modems themselves should have built in firewalls. setup secure by default. if the user wants to reconfigure or disable it, they should be allowed to do so.
#!/
Telecom New Zealand currently offers its business customers a service that allows the customer to configure their own VFW (Virtual FireWall). Changes made to the config of the customers VFW via a https web server are immediately sent to the firewall (inside the Telecom network). While the customer does not have the ability to change the outgoing NAT address of the VFW most other options one would expect from a firewall sitting in the office are available such as; selecting Src/Dst IP, Protocol, Src/Dst ports etc. Incoming services such as customer managed web servers etc. can be set up by the customer though this does require you to pay for an "extra" Public IP address. The firewall follows state and is designed to support large numbers of unique customer networks with overlapping private address space. All in all its a very sexy thing. Sadly there isn't much technical detail on how the system works but the sales blurb makes for interesting reading. http://www.telecom.co.nz/securebusinessinternet/
Apparently you don't understand most firewalls. If your computer makes a connection first, any incoming traffic from the site is allowed regardless of which port it responds. We are talking about blocking incoming unsolitied traffic. Quake 3, AIM, and any non standard website (which only geeks generally go to anyways) will work. Nothing needs to be unblocked. If you have Windows lying around somewhere, installed it, go get ZoneAlarm www.zonealarm.com , and then trying doing Quake 3, AIM and your non standard websites. After allowing your programs to pass through ZoneAlarm, let me know if you have any problems. I bet you won't unless your running servers which most people DON'T.