Slashdot Mirror
Should ISPs Be The Little Man's Firewall?
Anonymous Coward writes "In a paper published today, the point is made that ISPs should filter some ports (e.g. 135) for good. I guess given what everyone sees hitting their various firewalls these days, this may make sense. But wasn't the Internet supposed to be 'open' at one point? Or are we to the point where Internet=Web (and maybe AIM). The author of the paper is operating DShield and I guess has some insight into this issue. He made the same points before on various mailing lists."
And not something you get by default and then have to opt-out of - something you get offered and must opt-into. I don't care if port X of all the clueless people's machines get abused, if I want to use port X, I'm going to.
...Also, I didn't know Buggalo could fly.
relies on me to find the latest virii/worms that are going to pound the bandwidth, get their port numbers, and setup ACL's accordingly. Not only do the customers like it, it gives us more time to patch our hundreds of machines, and decreases our incoming bandwidth.
Overall, I help stop another hundred thousand or so Win32 users from pounding the net to death. I don't see how anyone could see this as a bad thing. (welcome input)
Get paid to code OSS
I don't want them filtering anything for me thank you. I can take care of myself. Next thing they'll be stripping attachments off of email and blocking content. Let internet Darwinism take it's course, only the strong will survive,a nd when all these people get tired of the insecure crap that windows is, maybe, just maybe they'll vote with their dollars to not support MS anymore.
While I agree with the point I think that power users should be allowed to call up the ISP (maybe even at initial sign-up) and be allowed to request that the ports remain unblocked. Otherwise, the internet *will* become just the web and AIM for everyone if they like it or not.
I know for certain that MSN does. I had a friend who found he was unable to use a work SMTP relay and had to resort to using the MSN relay.
As for me, I use Qwest and have found that they will not allow me to keep an open TCP session, meaning my SSH sessions constantly stall.
Calling tech support resulted in an entertaining conversation during which the support guy insisted that if I could "browse my webs" everything was working.
Oh well, time to change ISPs...
If my ISP gave me a slick web interface that allowed me to open or block ports specific to when I connect, I'd be all for it. Set the defaults to block things, to protect against worms and the like, but if I want those ports open to do something, it should be easy for me to open them. I think that's the perfect middle ground. People who don't know (or care) will be protected. Those who care can easily do whatever they want. The ISP just has to make it clear where the options are.
This is another case of where techies do not think about things from the customers point of view. Of course most slashdotters will want their ports open - the customers on the other hand dont know what a firewall is, what the implications of their ports are etc - quite frankly they shouldnt need to.
Filter by default - if you need your ports or you want to do your own firewalling then get the "advanced user" account that costs less but requires more responsibility from the user.
If anything this is just an opportunity for ISP's to make another value added service to sell.
with the Internet being so much popular these days, I think that filtering some ports can save a lot of hassle, many people use the Internet just to browse the web, read email and chat, so why not?
On the other hand, ISPs may add an option to get an advanced connection, in which all the ports are open.
my 0.02$
The IT section color scheme sucks.
Blocking all other ports will just mean worms and virii will have a permanent effect. Each wave of them will kill off a port. When we run out of ports (because something will be written for each one) then the internet must shut down. Some redundant system.
Karma: Excellent^(-t/Tau), Tau=Wittiness/Trollishness
The problem isn't ports - it's the applications that use the ports.
-- $G
For those that want to read about the issue deeply, I highly recommend Lawrence Lessig's book: The Future of Ideas: The fate of the commons in a connected world.
I am paying for raw internet bandwidth and that is what I expect to get. I will not tollerate any filtering or restrictions on the use of my account.
Any ISP that mandates filtering should also provide significant discounts to their customers as they are no longer providing a full raw feed. Of course, this will never happen as the filtering will increase the ISPs operating cost so the end result will be less service at a higher price.
Block my ports and I move to another ISP. If enough ISPs start blocking ports to the point that I can no longer find one that meets my needs, then I will open my own again because the demand for the small ISP will be back.
It will give lusers a false sense of security. I happen to travel with my notebook and one of the worst places where I get hit by viruses is not my home ISP or work, but hotel broadband connections in Asia.
If my ISP was protecting me, I would be complacent and I can see myself not updating the scanners / firewall on my notebook and getting hit the next time I went on the road.
The next issue is liability. If an ISP claims to protect and a luser gets infected, they're going to sue (atleast in a north American situation).
Blocking egress port 25 ought to be standard for all residential ISPs. There is no reason for a consumer level access user to need to run their own mailserver, and in fact almost none do (on purpose). Of course, many Windows users recently were unwittingly running an SMTP engine in the form of Sobig.(?).
ISPs need to ensure that their residential customers have egress SMTP traffic restricted to their mail servers. Users needing corporate e-mail access most likely can via SMTPS or a VPN if their IT department knows what they are doing. Users need to be respectful of the fact that they are paying for a consumer level service. If you want business level service, realize this is a higher end cost for the ISP (yes, it is-- more bandwidth, possible peering issues due to ingress vs egress traffic, legal liabilities, etc.)
ISPs supplying service to businesses need to enforce the clauses in most service agreements that require the business to 'not engage in activity that will be detrimental to the network or the Internet as a whole' (or similar- IANAL). Spamming, viruses, worms, etc. need to be controlled by the business's IT department, and the ISP should trust their business clients and allow unfettered access. If a business does not know how to secure themselves, they should be contracting someone else to help them (this could include the ISP, of course). Otherwise, they deserve to be treated as a danger to the ISP, since complaints, blacklists, and reduced bandwidth could be the result of unrestricted access.
If you RTFA you would know that Microsoft says that these ports should be blocked from public networks.
Further more to all the other fools who can't RTFA the guy is talking about only MS networking ports all of which should not be open across the Internet.
Seems pretty clear that the average home use needs to be firewalled. People who even care will probably be the same people who want static IP's, guaranteed uptime, and other goodies: business users and geeks. So even if they do lock down the basic service, you can always get a business account.
The best would be for there to be a mid-range account which doesn't have to pay the full business price (and doesn't have the same service guarantees) but does get have no-hassles access. I'd be willing to pay $5 more per month or so for that.
Here's a neat idea: you get your account, and they ship you a cable modem and personal firewall device. You're free not to use it (well, maybe the TOS say you have to, but nobody listens to them anyway) but they tell you that if you don't you'll leave yourself open to hackers and viruses. 90% of people will plug it in and forget about it, while the geeks will disassemble it to see how it works and then set up their own.
This is a great idea. Along with the firewall on my individual machine, I would enjoy a firewall run by the ISP that would allow me to create the rules. That way I am able to block packets that require a lot of bandwidth (i.e. DoS) at the ISP server, so the connection to my ISP doesn't slow because of it.
...but I suppose when TCP/IP was created, noone thought of the Internet as today. There should have been a section of ports dedicated to "LAN software", which by common agreement would be dropped by ISPs.
It would keep a lot of services that aren't supposed to go outside the home where they belong, and if you didn't want that, you could put the service on a "public" port. What is happening now is basicly patchwork by individual ISPs, blocking ports but with little coordination.
I want to have a free Internet where you can use any port you want. But there are also quite a few services that shouldn't be accessible from the Internet too, customer-side firewall or not. Latest and greatest is the Messenger service SPAM. Why would such a service be open to the world? But there's no "private" port you can put it on where only LAN requests come through. Not unless you do IP filtering, but wouldn't it be just as easy to have some port range that you simply know won't be sent to/recieved from by your ISP?
Kjella
Live today, because you never know what tomorrow brings
Actually, there is probably a better way yet: An ISP can block it's ports if it wants to, but it must tell it's users, and there needs to be at least two different ISPs in any market.
Some ISPs could advertise that they block $a, $b, and $c, as a security measure. If the customer doesn't want to think about security, they go with those ISPs. Others could advertise they allow access to the entire net. I would sign up for that, and do my own security.
Of course, for this to work there actually needs to be competition in the ISP realm. Not a given at the moment.
'Sensible' is a curse word.
Then you (as well as your employers) are very short sighted. I could well be using those ports. Many software programs that dynamically allocate ports likely will use some ports you block, and users applications will just fail "randomly". And, of course, your tech support people will deny all knowledge of it. Or, in the case of well known ports such as port 135 mentioned in the original posting, I've actually used port 135 to share entire windows directory structures across the Internet (between a system in Indiana and one in North Carolina). It was slick and very handy, although too few understand how cleanly (and safely) this can be set up and made to work. How can slashdot readers really advocate ISPs blocking the utility of the service we buy because some people who also buy it are too lazy to learn to use it properly?
I'm an American. I love this country and the freedoms that we used to have.
If we effectively kill off every port on the internet.. what is the point of having the TCP layer protocol? And if we killed it, wouldn't a lot of devices simply stop working? So I ask.. WHY!?
Personally, I love the idea of having ports. It allows a lot of intrasystem communication, even if it isn't the best way of doing it, and it allows many many services to run on one machine. hell, without TCP, we wouldnt have IMAP or POP3 or SMTP etc.. (unless someone did them from a web front, sorta like yahoo, but then it's the same thing on their end....) Somewhere down the line, people have gotta realize, fixing the problem doesn't mean you have to break something else in the first place. ISP's need to let the users deal with viruses, even if they are 100% computer illiterate. Maybe they should offer a service where they will patch your system for a price, instead of simply blocking a port that someone may have been using constructively. This really outrages me, because Adelphia, my Cable provider, has killed so many ports due to virus outbreakes (Codered killed 80, MSBlaster killed 135, 139, 4444, and a bunch of UDP ports), ports that I would have liked to use (port 80 mainly). I have to redirect to 8080, and not many people will know how to do that. Please people, think before doing something so drastic as cutting off all the ports... There are much better solutions.
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
Then how is an application supposed to discover on what port a machine is offering a service? What if you didn't know on which port Slashdot was running its HTTP server?
Will I retire or break 10K?
Sure this starts out helping the net in general and preventing everything from going to hell when the next virus comes out.....but what if the RIAA after some successful lawmaking decides that whatever ports Kazaa is running on are bad/illegal and must be blocked? Or what if program X runs on port Y and whatever group doesn't like it decides to block it? Obviously there are other ways around it....but not everybody knows those. Maybe I'm just being paranoid....but with some of the things that have happened lately, who's to say.
Buy Steampunk Clothing Online!
I would totally disagree. A GOOD network engineer or security bod will, by default, block all ports and them open ones that users need. If you have the need to be using anything other than the basic ports (25, 80, etc) then you get them opened on request. As 99% of people DON'T need anything else open this is the sensible and security conscious way of doing it.
I'm sure a "professional level" ISP would cater to your need for flapping security holes by leaving all ports open by default, if that's what floats your boat.
Goblin
It's all fun and games until a 200' robot dinosaur shows up and trashes Neo-Tokyo... Again
I spend from 10pm last night til 4am on a conference with the worst bandwidth provider in arlington texas because one of my clients was getting his one of his T1 lines bombarded by a ddos attack. The concept of dropping non-source routed packets was foreign to them. I guess the point I'm getting to is, there are some things the guy on the other end of the T1 line can not do for himself. Even if he had the best bridging packet filter in the world between his T1 and his machines, the pipe would still be screwed at the router above him. So yeah, you bet your ass the provider needs to step in when things are happening at their level. And if they are selling T1 lines to people, they should have the kind of talent in place and IDS systems in place to detect attacks and crap of this nature and do something about it.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
- ISPs start blocking ports
- All software uses port 80
- ISPs start using more complex and intrusive filtering that blocks everything that doesn't look like MSIE
- The internet is officially shit
I can't fucking wait.Game... blouses.
Well, I guess the underlying assumption here is that the software using the ports 135, 137, 139, and 445 is broken beyond repair either from the security perspective or then the software is very hard to configure properly (because it seems people accidentally misconfigure it to be open to the entire Internet). Either way, the suggested measure would be an unnecessary limit of free communication for no other reason than a common implementation of certain protocols.
If it is possible for clueless users to accidentally run software that puts their computers at great risk, then I say there is a serious usability problem here. If the software implementation and/or protocols itself are insecure, providing a better implementation/protocol is a step towards better future. Trying to shift the responsibility to ISPs isn't the way to go.
I had opened the article specifically to make this same comment.
Just like self-administered hosting services have successfully provided "servers for the little man" through virtual hosts and web configuration interfaces, ISPs could provide security for the average joe.
Integrate the UI well with your webmail (spam-filtering, etc) and other services, and your ISP portal can actually be more useful than as a bandwidth test.
Freedom is the freedom to say 2+2=4, everything else follows...
The source of the problem this is addressing is a operating system that has every port opened by default. That operating systems owner can pay for this. They should have to fully fund it at the user level not the ISP level. Otherwise STFU. I have a cheap ass packet filter router on my cable modem. Guess what I don't have any problems. This is an appliance a moron can configure. The manual has pictures even.
I run Linux. My systems are doubly secured with having all default open ports that are not needed shut off. I pay my ISP for full internet access. SAN needs to get its head out of it's ass. I don't need top be made to suffer because Microsoft is to stupid and greedy to build security into any of it's products.
As you can see I don't care about my karma.
It should be up to users to protect themselves, or it should be an OPT-IN value-added service provided by the ISP, even if it costs extra.
I pay for bandwidth, plain and simple. I want every port open for whatever use I so desire, with no blockage from the ISP period.
Some morons at certain ISPs recently decided to block all pings, period, on their broadband networks. I run a small computer consulting business, one of my specialties is ipsec-connected subnet-to-subnet VPNs for small businesses with dynamic IP broadband connections. The scripts that make all this work depend(ed) on being able to ping various places to determine if the internet was up, if the peer host was up, and if the tunnel was up.
Since someone didn't RTFM on stateful packet filtering, and figure out how to safely allow ping traffic while blocking DDOS attacks, all my scripts broke (well, among those home users using those certain ISPs that connected into the office). Who in the seven hells ever thought an ISP would block ping!!! I can see a popular website doing it, but an ISP?!? Across their entire network?!?!? Baka!
Anyway, I had to quickly rewrite the scripts to pull entire webpages down to test connectivity, and dump them into the bit bucket, instead of nice, tiny little ping packets. (Let's see 'em block http) Wastes bandwidth, and less elegant too! wheee!
Cookie-cutter broadband ISPs without the technical knowledge to properly configure their routers are NOT people who I want determining what ports/protocols I can and can't use. I pay for bandwidth. Leave my ports alone!
Styrofoam IS biodegradable, you're just impatient!
One reason I can see for ISP's not offering port filtering by default for virus/worm protection is the liabiility issue. Can you not see the situation of someone relying on this functionality, being hit by something that comes down the pipe, then wanting to hold the ISP responsible because of their negligence in not making the filtering "good enough?"
Why not take this a step further by blocking anything that the user did not request in a NAT-like fashion? Broadband router users have been enjoying the security that this provides for ages, and I see no reason why everyone else shouldn't, too.
Security-wise, this would block many worms (both present and future) because they would simply be unable to connect to any system. Besides that, it would also block backdoor trojans like NetBus and BackOrfice because, although they'd still be listening, no one would be able to connect to them and control the user's system.
To address the NAT-type problems that this would create, ISPs could automatically make certain exceptions for port blocks that interfere with popular games and whatnot. For advanced users, there would be a control panel (much like those built into NAT firewalls) where they could unblock any or all of the ports.
I made a PHP/MySQL library that prevents SQL injection & makes coding easier!
However, it is the ISP's job to maintain service quality for the other thousand people served by the same point of presence that you use. It is its job to protect its service from DoS attacks, to ensure that those who don't have a worm are able to use the service.
Therefore, when a worm outbreak borders upon DDoS, it is very likely in the ISPs' best interest to interfere with it. They should do so minimally, because their purpose in so doing is to minimize its effect on their business and responsible network operators -- not to Quixotically defend irresponsible network operators.
At different stages of an outbreak, and depending on the specific behavior of the worm, an ISP's best response may differ. For instance, if a tiny number of customer hosts are infected and are blasting huge amounts of traffic, the best response may simply be to remove them from the network, or block the relevant ports on the proximal router.
If they call and complain, the first-line technical support can read off a prepared statement, which (when boiled down) says basically this: "Your computer was being used for a Federal crime, breaking in to other people's computers. We shut down the network to protect our other customers from this criminal activity. It's possible your computer was infected by a virus that was being used to perpetrate this crime. Because of this possibility, we didn't call the FBI and report you as the source of the criminal activity. It's your responsibility to keep your computer from being used to hurt other people." They can then go on to offer, for a small fee, a CD of licensed antivirus and worm removal software -- or, for a larger fee, a visit from a technician who will run the same. Connectivity is not restored until the system is clean, whether by this means or any other.
In the case of a widespread outbreak, where more than 5-10% of the client systems are infected, it's probably more expedient to just block the ports on the core routers first. Then find a way of enumerating the infected systems and dealing with them, if it's deemed worthwhile.
Of course, any such measure should be announced. Exactly how to announce it I'm not sure, since many ISP users don't use an ISP mail account (and the ISP must not send spam), nor do they read the ISP's local newsgroup or visit the Web page.
In the case of a local ISP, the newspaper is always an option.
The problem, of course, is that most who really want a consumer-style connection won't go for it because they can't see any benefit to the added cost; becoming a worm or virus transmission vector annoys others but does not usually degrade the infected user's consumption experience and therefore managed firewall services don't make sense. The solution to this is an addendum to terms of service that stipulate that systems which are reasonably believed to be infected with a worm or virus and are adversely affecting networks as a result will be dropped from the network and no refunds will be given. Service will be restored only after a professional (partnership or more managed service opportunities here...) has inspected the system and found it clean of any such threats. Since this will be both annoying - unexpected service termination - and expensive - hourly fees for system checks won't be low - users will find this type of low-cost insurance valuable and useful. Probably enough so to pay an extra 3 or 4 bucks a month, surely enough for the ISP to make a nice profit as well.
How do you know ahead of time what ports people need? Do you buy every online game, to make sure their new implementation of game protocols over UDP works in your system, or do you wait until your users are complaining (and leaving) because you don't have time to keep up, and you're blocking their game? If your ISP suddenly blocked all P2P (which is what your proposal would do), would you move ISP's? If your answer was "yes," why do you think anyone else would stay, and why would anyone in their right mind run an ISP that way?
You may *think* you know what users need. You're probably wrong, though.
I worked at a large web hosting company for many years, so I've dealt with these issues before. Here are my predications.
First, ISP's and web hosting companies are going to increasingly block ports. You can complain all you want about this, but it will definitely happen. 99.9% of the customers only care about SMTP, HTTP, FTP, SSH, TELNET, POP3, and IMAP. I may be missing a couple, but you get the idea. On a percentage basis, there is so little demand for the other ports that I suspect most of the larger ISP's already block a good deal of ports. They are just playing the odds. The only way you will be able to avoid this blocking is by co-locating a machine (which is what I will probably do). Even then, you may have to shop around.
Second, an increasing number of applications will just tunnel through another port. We already see this trend by companies (like www.no-ip.com) that sell the ability to reflect email back into port 25 from another port. This is useful if your ISP blocks outbound port 25 (both AOL and Earthlink do this). This leads to my third predication.
In the future, all traffic will be port 80. I'm being partly facetious with this predication. But it may not be as far-fetched as it seems at first glance.
When Code Red was at its worst, Comcast took it upon itself to filter inbound http requests to some (all?) of its subscribers. While this did prevent new IIS infections, it also disrupted service for a large number of people running more secure web servers, myself included. The way I saw it, I was being forced to suffer for my neighbors' stupidity. I lost the freedom to run a personal web server because there were too many morons sharing the network with me.
I like the idea of an ISP offering "secure" service as a [free] option. I even like the idea of enabling it by default, and forcing the customer to explicitly remove the feature if they don't want it. What I don't like is having my service crippled because someone else is too careless or clueless to secure their PC.
On the other hand, this would likely have the undesirable side effect of teaching users that they need not worry about security. "Why bother keeping my OS up to date? Isn't it my ISP's job to take care of me?"
i want more gopher sites.
grey wolf
LET FORTRAN DIE!
And where exactly is the rule written that consumers cannot or should not use port 25?
I guess you don't think we should serve http ports?
And no telnet/ssh either. Remote administration is the kind of thing a consumer doesn't need.
When I pay for my "consumer-level" DSL, I have some expectations that I'm willing to compromise on.
I know the tech-support people will not consider me a priority. I know if they have network problems, they will not work the extra mile to minimize my downtime. I know I cannot talk about "downtime" with them with a straight face, because they don't have those kinds of obligations.
I do expect, however, to be able to send and receive little packets of data every once in a while, at a certain speed, over whatever ports I want. I expect my paltry email packets to be dealt with equally with my fancy packets of video and audio (which certainly cost more bandwidth to my ISP, spam or no spam).
I do expect that my use is not restricted by "whatever is likely" other people need or do.
I agree with you that most users should have port 25 blocked. Actually, I think most BUSINESS users should have port 25 blocked too... a lot of small offices do not need, and do not have, their own email server but were happily sending emails through their business DSL lines due to SoBig.
Let BOTH kinds of users specifically remove that block. Force them to restrict it to a specific email server (or a list) if you want.
If they need it, whether it's a geek or a full IT department, it wouldn't be a problem because they know what they're doing.
But don't assume that a consumer never knows what he's doing, or that a business necessarily has a clue.
Freedom is the freedom to say 2+2=4, everything else follows...
So true! Mod parent up. The only thing he forgot was the bullshit "Universal Service Fee" that some ISPs are actually charging, although it's doubtful they're required to contribute to the USF fund.
Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.
The best solution is to provied tiered services for residential customers. The default (and bottom) tier is to firewall the bad ports. Those people who want to run basic services (such as web and mail) should be able to sign up for the second tier. This would provide basic firewalling and leave open the ports for web and mail. The third tier would be an open pipe and the end-user claims all responsibility for the use of that pipe. Third tier users would be on their own network separate from tiers 1 and 2 in case their IP ranges get placed onto RTBLs or some such thing.
The common consumer just wants cheap internet access and will pay for the bottom tier and get the benefits of protection. Cocky /.ers would pay for the top tier (probably at a premium) to get what they want. Then they can shoot themselves in the foot.
Why not make Operating Systems block all ports as default? This isnt a network issue its an application issue.
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
is that it costs real money to block ports. ISPs have big routers and the cpu cycles of those routers are expensive. Blocking ports takes additonal cpu cycles, so ISPs need to have a strong business reason to start blocking.
The real "Libtards" are the Libertarians!
My ISP has spam filters. If you log into their webmail client, you can turn on or off the various rulesets, or tune them at will.
Now if they didn't have this adjustment ability, I'd be moving elsewhere in a big hurry--but they give me the filters, default them to all on, and let me turn off what I want. I don't see why they can't do that with internet ports. Default to everything turned off, and then have a website that I could authenticate against, which would allow me to open ports. ACLs in FW1 should be able to accomplish this.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
so they can do whatever they want.
C'mon, mod this down as a troll, just so you can prove my point.
Those port blockages (except for maybe 25) are workarounds for ridiculous MSFT security bugs. The proposal is that ISP's install blocks to work around the bugs. Shouldn't MSFT clean up its own mess?
If my ISP wants to filter things such that I cannot run a server from my house, that is okay. I can live with that, since I'm buying residential service and not business access. Uploading is throttled down to 64kbs anyway (I'm on a cable modem), so it would make a shitty server point anyway.
But the first time my ISP limits what I can receive without giving me the option of turning it off will be the last time I use my ISP. Its not their place to determine what is "good" and what is "bad" for me, nor is it their duty to protect me from my own stupidity. Babies who need their hands held and cannot think for themselves can use AOL.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
And yet the most common complaint I hear from people is how they paid for lots of bandwidth but they're always the victim of lag and dropped packets. Blocking ports 135-139 would eliminate a substantial amount of the background "noise" that's taking a bite out of your bandwidth.
If someone *needs* to share 135-139 over a public network then they should be using a VPN anyway.
Is that the "advanced user account" would probably end up costing MORE, not less. I think that you'd mostly find 3 situations:
1) ISP blocks ports/services/etc and won't unblock them. Claim it is for securtiy, etc and just won't do it any other way. We had this problem with Cox. They disallowed any VPNs on their normal cable accounts. Our university uses VPNs extensively. It came down to us explaning to them that we would recommend people go with a different provider if they didn't change the rules. Of course as a large university we have leverage individuals do not.
2) ISPs would allow you to unblock ports, would would charge a fee for it. This is much like how you have to pay to NOT have long distance service. You would end up probably paying a monthly charge just to get to use everything.
3) ISPs would use this to attempt to force bussiness class service. You could get an unrestricted connection, but only if you were willing to drop the bigger fees for a bussiness class connection.
I would have no problem with an ISP firewall, if they'd be nice about it. If I could log on to their website and enable/disable its features at will I'd think it was great. It could be on by default for all I care, so long as they told me. However it does need to be something I can disable easily, and I should have to pay extra or anyhting like that for.
The ISP is to the user what the backbone provider is to the ISP. The ISP should no more be filtering ports than the backbone provider should be filtering ports. If users not knowing what they're doing is becoming too much of a problem, or is putting other users at too much risk, then the ISP should be doing what we require for cars: users must prove a certain level of knowedge and ability to safely operate a computer/car before they're allowed on the Internet/road.
Unfortunately, this isn't an ideal world. Until people stop whining that, effectively, "Why do I have to know how to drive? I just want to go places in my car!", we may have to live with this.
I really don't care about making the Internet safe for everyone. Next thing you know we'll be suing gun companies over homicides, I mean ISPs over cyber attacks.
Isn't the real issue here the fact that Windows has so many security flaws? Maybe Windows just isn't ready for the Internet. I run Solaris, Linux, and MacOS X, with the protection of a Solaris/IPFilter firewall at home and do you think I care about worms and viruses? Nope.
The only thing I could possibly suggest that the ISPs do is communicate a standard warning: "The surgeon general has determined that Windows can be hazordous to your computer while connected to the Internet." and leave it at that.
-- Thou hast strayed far from the path of the Avatar.
the cable/dsl modems themselves should have built in firewalls. setup secure by default. if the user wants to reconfigure or disable it, they should be allowed to do so.
#!/
My ISP (Australia Wide, NOT owned by a Telco), has recently implemented port blocking into all their accounts.
Along with this 'feature' they also enable us to enable or disable port blocking, at our convenience, in about 4 clicks and a login. If you ask me, any ISP worth buying service from, who is considering making port blocking mainstream, because it IS important, and it is something that is going to stop the vast majority of users from getting viruses/hacks that commonly exploit invulnerabilities in the more widely used OS's, will implement a similar service.
I am charged nothing, for leaving my ports open, and I run firewall software on my PCs with custom rules relating to ports because of web/ftp/ssh servers etc. It was quick and easy to toggle between blocked and unblocked, and anyone on this service can do it.
I honestly don't see why this is such a hard thing to adopt, and I would like to thank my ISP for being as reliable and friendly as they are, I know I am lucky in this situation.
I think ISPs SHOULD be the Little Man's firewall. The inexperienced user needs protection and 90% of the time will not have a clue how much work the ISP has done for them, but perhaps might comment to their friends that "No, I didn't get the Blaster Virus" when everyone else did.
Something like this would be wonderful for the average person. For the 10% of the population (read us) that this would hinder the benefits would greatly overweight anything else.
This does bring up a totally different idea I had while thinking of how things like this and similar average user features(for instance forcing people to use dialers, browsers, etc..) slow down the power users. It would be nice if major ISP's would start offering levels of service for users. This technically wouldn't require more charges for either group (although surely the ISP's would jack up the prices for specialization). The costs of blocking and filtering would balance with the cost of having to set up special settings for a different group. Both would cost more, but together they wouldn't have to have different prices.
Of course this will never happen, but it's one of those ideas that somebody should think about. And all of this would probably be most useful for broadband connections.
BTW, are their major ISP's that do this type of thing?
and it purely sucked. i couldnt use normal service ports (21, 22, 80, 126...). i had to use shitty ports for everything and it really sucked. this was the korean ISP thrunet by the way. i hated them the most out of all the ISPs i ever used. their service was always cutting me off too. DO NOT THINK PORT BLOCKING IS A GOOD THING. it chops your feet off if you actually know what you are doing.
... of broadband firewall routers being sold that will not work with the default password. That such routers will not have ANY incoming ports open by default, and ALL unnecessary outgoing ports (not needed for http, https, ftp, telnet, pop/imap, sendmail, ssh, IM, irc, kazaa, etc),are all CLOSED by default. The user will always have the option to open any normally closed port. BUT, since most users leave their routers as-is, and don't care, as long as they can surf the web, send and get mail, etc, such routers will shut out the hackers and limit their exploits on an unimaginable scale. And, a lot of trojans could be cut off just by limiting the lesser-known port numbers outgoing. ISP's won't have to load down their routers with endless lists of changing exceptions to no-route rules... Boy, I dream big.
Dogs look up to men; cats look down on men; But Pigs! Pigs can look men square in the eye. -Churchill
I really can't believe how overcomplicated people are trying to make this, there's a simple solution that looks something like this:
:D
1) Customer dials in to ISP and is port-scanned
--vulnerability found? Go to solution 4.
2) Customer sends mail through ISP's smtp server - a simple scan for virus infection is performed.
--infected? Go to 4.
3) Customer has been connected for multiple of 24 hours and is portscanned
--vulnerability found? Go to 4.
4) All web and mail traffic from/to the customers machine from the ISP is suspended except http/ftp access to designated update and web-virus scanner sites, whenever they try to hit a website they are shown "Your system is infected with blahblahblah, the patch is here and this is the only piece of the internet you're going to see until you install it - once you have you'll be scanned again and the block will be automatically lifted"
Badda-bing, no need to block any ports unless the user is infected, user *knows* when he's infected and user also is led by the hand to the patch. ISP's update their vulnerability-list (a la Norton liveupdate) every day/week, and they slap their own logo/theme on the pages it generates. No more CodeRed/Sircam/SoBig/Nimda/Blaster/*whatever* problems, ever again.
Speaking as a programmer, this is fucking *trivial*, so why all the discussion of blocking people's ports across the board? Seriously, have I overlooked something really dumb in the above, because that to me seems like the ideal/only solution.
The only people who can fix these problems *for good* are the ISPs, and it's painfully easy (see above) for them to do it *without* blocking all the ports I use for dumb games
You should be happy about being made to use SFTP instead of regular send-passwords-in-plain-text FTP.
I like my women like my coffee... pale and bitter.
Simple, it costs more, and it doesn't really matter by how much. You'd be surprised at how single minded companies are when it comes to per unit costs. Fixed costs they could almost care less about but try to increase a budget by $1 more *per unit* and people go absolutely fricken nuts. You're right though, if a competing cable modem maker offered a unit for the *same price* they might be able to steal the business away from the existing supplier or, at the very least, convince the existing supplier to add the firewall functionality gratis.
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
No
I don't trust anyone but myself to filter what I want. Suppose a certain corporation that shall not be named were to lean on ISPs to block common p2p ports?
Suppose I were working at home as a security consultant and needed acess to all ports, including those used by virii?
The internet was originally designed with all the intellegence at the ends, and not at the center. This was done to prevent anything like this kind of behavior, where the people with the routers can control what you can access. If it were not for this forethought on behalf of the Internet founders, your ISP would control what you can access.
And that's what this could easily evolve into. You know the routine. You start with a little. Then they push it a little farther. And a little farther. And a little farther. Then the "internet" is nothing but a glorified TV station, feeding you the same junk in an interactive manner.
Obligatory BTTF quote: "Admittedly, that is a worst case scenario..."
When you write internet software now, you have to supply port 80 tunnelling so that people behind firewalls can use them. If you close all ports except 80, it does nothing except add a trivial layer of complexity to writing networking code, whether the code is malicious or not.
This is like arguing that instead of locking all doors and windows, all we should brick them all up except for the front door, but leave that one open because we're too lazy/foolish to operate the lock (or, we can't figure out how to make a lock that's easy enough to use).
Bits don't care what port they travel over, and software/viruses can be configured to send/receive them over any open port. What we need are simple locks.
If the approach is "opt-in", any new Internet service in the future is going to be DOA because Joe Clueless is going to download the new apps, find out "they don't work", and isn't going to contact his ISP where the problem is.
The other problem is that any ISP big enough to have a clueless "first line" help desk isn't going to be able to handle "please turn this port on" inquiries from Joe Clueless and will be even less able to handle them from anyone with a clue.
Do we have all the Internet services we're ever going to want?
Sacrificing future technological possibilities just to keep the current Net running properly isn't exactly the sort of thing we want if we want to do interesting and maybe profitable high-tech things.
Port 135 and the most commonly abused other ports there's a case for blocking by default.
Tech Public Policy stuff
Multiple ports are not the problem - if nothing is using those ports, there would be no traffic on them.
Blocking ports will only cripple legitimate users of those services while the malicious attackers will find other vectors for attack.
You can keep blocking ports until everything is tunnelled over port 80 and content only flows 'one way', but we already have that - its called TV/Radio broadcasting.
If anything, ISPs should filter the users logging onto their systems - e.g. if the system logging on fails security tests, or exhibits virus-carrying behaviour, then outbound access is curtailed or disabled entirely.
Crippling the internet because Microsoft can't get their shit together is the dumbest thing i've heard this week.
I gots ta ding a ding dang my dang a long ling long
I'm currently at a Holiday INN. Well they're high speed net access. Faster than a T1 is nice but they block port 25. It's a inconvience since I cant send email through my yahoo smtp account nor my email account on another server. Though I'll have to call our hosting service to map port 2525 to 25 to get around this issue it's still an annoyance.
If the ISP blocks 25 then the spammer will have a buddy setup a box outside the network to accept on some random high port like 37337 and just go to town just like usual. All it serves to do is get in the way of legitimate users in a punish the many for the crimes of a few method.
If one is on a dialup, it's really handy to be able to go upstream of one's mail client in order to block the multimeg file attachment some spammer or clueless friend thinks I need.
A shell account saved my ass when Sobig.F hit.
Some moron from dsl.net with an infected box hit mine with viral spams by the thousands on top of the rest of the Sobig viral spam I got. Being able to configure my .procmairc file at my provider made it possible for me to shitcan everything with a .scr or .pif before I downloaded it via mail client. Without the shell, my account would have been useless to me for weeks and having my ISP clean it out would probably have cost them hours, i.e. hundreds of bucks worth of sysadmin time. With it, I pretty much took care of myself.
One should not have to run one's own mail server in order to do this. A shell is a good thing even for an ISP in the hands of those who can use it properly.
This doesn't mean that users necessarily need to get one by default, though. Personally, I don't ever intend to get an internet account that doesn' t have one.
Tech Public Policy stuff
Telecom New Zealand currently offers its business customers a service that allows the customer to configure their own VFW (Virtual FireWall). Changes made to the config of the customers VFW via a https web server are immediately sent to the firewall (inside the Telecom network). While the customer does not have the ability to change the outgoing NAT address of the VFW most other options one would expect from a firewall sitting in the office are available such as; selecting Src/Dst IP, Protocol, Src/Dst ports etc. Incoming services such as customer managed web servers etc. can be set up by the customer though this does require you to pay for an "extra" Public IP address. The firewall follows state and is designed to support large numbers of unique customer networks with overlapping private address space. All in all its a very sexy thing. Sadly there isn't much technical detail on how the system works but the sales blurb makes for interesting reading. http://www.telecom.co.nz/securebusinessinternet/
You know how this would work. Those port numbers often used on Windows would be allowed. Anything not on that whitelist would be cut off. So suddenly everyone using Linux under the ISP who wants their services to work correctly gets labelled as an uncouth 'hacker' (in the media meaning of the word, not the original meaning) for wanting to punch through the firewall.
And then the morons who make the majority of public opinion see the extra hoops Linux users would have to jump through to get their systems to work and think, Oh, my Windows box just works, so I guess it's better. (For example, if Windows sharing port numbers are allowed but NFS port numbers are not, then the general effect is that Windows filesharing works and Unix's does not. No amount of explaining will sway the public opinion on this. It's not based on reasoned thinking.)
And although I couched this in terms of Windows Vs Linux, the more general case is the real problem - it makes the decision of which technologies will live and which will die be entirely in the hands of the ISPs. It's the equivilent of your phone company saying "You can discuss your pets, your wife, and your kids over our phone lines, but you aren't allowed to talk about radios, televisions, or cable modems over our phone lines. And we'll be listening in and if you try to raise one of those subjects we'll cut your call off."
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
There are some exceptions, though - if you're getting a high-volume flood of some sort (DDOS attacks, Slammer worms, ping floods, etc.), it's nice to be able to turn it off at the ISP's end of the wire, because that prevents your bandwidth from getting stepped on by the attackers, while otherwise you might be unable to get any effective work done because 99% of your bandwidth is the attack.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I know this is directly counter to what has been previous posted, but I'm sticking by it. I work for a small isp. All our dialups are already filtered. It's outlined in our TOS.
None of our dialup cusomers where hit with blaster. We filter these ports on our dialup for the same reason we filter all incoming email for virii. It's a sensable service, and a good default. Some of our customers request that certain ports be unfiltered, and with few exceptions, we are more than happy to (one exception being outgoing 25, it's our smtp or nothing. We don't abide spammers).
Remember, tech savvy customers will know to request changes, and the unsavvy ones will be best served by being protected. People are sick and tired of people in the know doing nothing to protect them, sick of the virii and the worms, and the spam, the popups and the hassle and the crap. The more of the that you can keep from effecting them, the happier customers you have.
I have always run a NAT router on my network and share whatever Internet connection I have had with my flatemates. None of them have ever even know that they have no incoming ports open, they surf the net and read their email perfectly happy and in complete igonrance. I would think that 99.99% of retail ISP customers would be completely clueless to it if they had no open ports available to them. I am a web developer and heavy net user and very rarely have a need to foward ports over to my machine, the average user just doesn't need it. If ISP were to disable all incoming ports and provide a web interface for users to open up the ports they need, I think they would find that less than 1% of their customers would ever use it.
Here in the UK an increasing number of broadband ISPs are doing this already. They started a couple of years ago blocking inbound SMTP.
I run my own mailserver and virtually had to promise the life of my unborn child to get it unblocked.
But here's the kicker. Looking for a new ISP I found several that block inbound SMTP to all their DHCP customers, if you want it unblocked you have to get a static IP account for which they charge an extra 5 per month (+tax).
The funny thing is we'll probably get some ISPs charging extra for their "Premium Protected" rate service while others will charge more for "Unrestricted Access" accounts.
Why don't make that question the next /. poll?
[ ] Yes mam, filter everything!
[ ] Go away, no!
[ ] Filter Windows-ports
[ ] Filter all non Windows-ports
[ ] Help! Cowboy Neal triggers all my Snort-alerts!
Alex.
You look like a million dollars. All green and wrinkled.
If you don't have end user level security and leave it up to the isp, script kiddies have less work to do. They will hammer on the isp till it cracks then they'll have free access to all their unprotected customers.
Firewalling needs to be at the OS level and on by default.
I'm sorry, I can't hear you over the sound of how awesome I am.
I'm seeing a lot of people on here complaining that they want their ports open...but you need to remember that we are not indicative of the "average" user.
Like it or not, the Internet no longer consists entirely of technically inclined people. We are outnumbered by folks who just want to read email and surf the web...and don't even know what SSH is.
The problem is that their ignorance affects the entire Internet community. If a few thousand people get infected with the latest worm and start DDoSing a server, or bogging down the mail relays, everyone is affected - even the technically inclined people who were smart enough not to get infected.
Your average user just wants an appliance, a tool they can use without too much effort. They don't know about ports, and don't want to. Honestly, they shouldn't have to know everything that we do - it isn't their problem. Just as I don't know everything that my Doctor does...they don't need to know everything that their ISP does.
For this average user, I think port blocking would be a godsend. Honestly, there really aren't all that many applications that require incoming connections to your home machine....most of the time it is outgoing. Shut down the ports, protect the "average" user, and then let those who know what they're doing open their ports back up.
yrs,
Ephemeriis
"Work is the curse of the drinking classes." -Oscar Wilde
uhmm, apart from the slick web interface to ask the user what they want, has anyone thought about the poor sodding router that has to hold all these personalized rules?
even the big cisco PIX jobbies barf at the thousand rule mark. you'd have to go for a user-wide policy which would put off all the technically competent / meddlers.
it's just not going to work on this scale, I believe. the solution is to have operating systems and small domestic 'broadband routers' have default-deny policies, and lease the ISP (no matter what size they are) to shifting packets and answering DNS, like they're good at.
You ask the average user TODAY, and s/he will give you the same answer TODAY as he would have given in 1998: "The Internet? That's that 'WWW' thingie."
I host my own email, and I use SA, PROCMAIL, RAZOR/PYZOR, etc. to help scrub what comes through the port(s). But I'm not a typical user. And I still consider that I'm vulnerable, because it's what you don't see that gets you, and my level of ignorance is STILL profound.
(NB: The funniest thing I ever saw regarding "ignorant users" is the lady a few years ago that kept yelling at everyone on Usenet to "stop sending me emails!" She thought her Newsreader was her mail client.)
Any technology distinguishable from magic is insufficiently advanced.
If you start blocking every port except 80, everything will get rewritten to use port 80. This will result in a significant increase in overhead, and *NO* increase in security.
Ports are conventions. We use certain ports for certain functions because we have agreed to . No other reason. We already see programs that don't belong on 80 using it because they need to get through firewalls. This would merely globalize the tendency, and eventually the entire usefullness of ports would be destroyed.
One can say that this is to protect the innocent, and feel good about things. But this will have as much decent result as most "protect the innocent" laws: None. And it, like most of those, will have significant negative downsides.
I think we've pushed this "anyone can grow up to be president" thing too far.
My ISP already does filter several ports for me... and it is very annoying. I have a cable modem (Charter) and they established a policy about "No running servers on a non-expensive-business line", and so they block common server ports like FTP and HTTP. Fine, not a big deal.
However, some corporate monkey heard the word "server" in relation to "mail server" and decided to block SMTP as well. This isn't outgoing SMTP (which might block some spammers), but incoming SMTP!
So, Charter has to waste disk space and resources storing my mail for half an hour, I have to jump through fetchmail hoops to pull it down every half hour, and MY sendmail has to go through ugly masquarading so I can still have working properly addressed mail inside my LAN, but have it get converted to THEIR email address outside since I have no way to point my domain's MX record at my mail server.
Long story, short point. Do you WANT this kind of corporate idiocy as the default for all ISP's? I think a far more reasonable policy is for ISP's to disconnect any customers who send out spam or virii, if they detect them. If the customer calls and asks why they were shut off, give them the answer... their machines are polluted and comprimising the security and operation of the network at large... they should clean them up or pay us $$$ to come do it for them.
Wouldn't it make sense for the ISP to masquerade all their dialup users? Sure, there are exploits available, but wouldn't that allow most dialup users an extra measure of security and the access they want without port blocking? As a dialup user, any legitimate connections back to my machine have to be initiated by me in the first place, so there is a chance for my machine to either inform the masquerade server at the ISP to allow the connections inward, or to have the remote box use the connection I established to it to communicate back to me.
Welcome to the net of 1000 lies. Upgrades are scheduled soon that should bring us to the 10,000 lies mark.