Re: What do you want your ISP to block today?
At 02:51 PM 9/3/2003, Sean Donelan wrote:
On Wed, 3 Sep 2003, Johannes Ullrich wrote:
I just summarized my thoughts on this topic here: http://www.sans.org/rr/special/isp_blocking.php
Overall: I think there are some ports (135, 137, 139, 445), a consumer ISP should block as close to the customer as they can.
If ISPs had blocked port 119, Sobig could not have been distributed via USENET.
Perhaps unbelievably to people on this mailing list, many people legitimately use 135, 137, 139 and 445 over the open Internet everyday. Which protocols do you think are used more on today's Internet? SSH or NETBIOS?
Some businesses have create an entire industry of outsourcing Exchange service which need all their customers to be able to use those ports.
http://www.mailstreet.net/MS/urgent.asp
http://dmoz.org/Computers/Software/Groupware/Microsoft_Exchange/
If done properly, those ports are no more or less "dangerous" than any other 16-bit port number used for TCP or UDP protocol headers.
But we need to be careful not to make the mistake that just because we don't use those ports that the protocols aren't useful to other people.
Even on Windows they can be used in a much safer fashion (although I would never attempt it for any of my stuff). It is possible to use IPSec policies on 2000 and higher to encrypt all traffic on specified ports to specified hosts/networks and block all other traffic. I bet some people are using this to join remote locations securely to each other for Windows networking with these ports and IPSec policies. Vinny Abello Network Engineer Server Management vinny@tellurian.com (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Even on Windows they can be used in a much safer fashion (although I would never attempt it for any of my stuff). It is possible to use IPSec policies on 2000 and higher to encrypt all traffic on specified ports to specified hosts/networks and block all other traffic. I bet some people are using this to join remote locations securely to each other for Windows networking with these ports and IPSec policies.
If you explain the difference between "IPSec", "The Web" to an end user, and can convince them that they have "enough Pentium" for it, you win and don't have to block the ports.
There are 10 kinds of people in the world. Those who understand binary and those that don't.
ISPs should either block the mentioned ports, or send out bills in binary. -- -------------------------------------------------------------- Johannes Ullrich jullrich@euclidian.com pgp key: http://johannes.homepc.org/PGPKEYS -------------------------------------------------------------- "We regret to inform you that we do not enable any of the security functions within the routers that we install." support@covad.net --------------------------------------------------------------
There are 10 kinds of people in the world. Those who understand binary and those that don't.
ISPs should either block the mentioned ports, or send out bills in binary.
No. ISPs should not block ports unless they are listed in the AUP as non-permitted traffic or it is a necessary and temporary remedial action for a service-affecting problem. I understand binary, but that doesn't mean I want my bills in that format. I still do not understand why a manufacturer is permitted to release a product which causes such harm, and, rather than hold that manufacturer liable, so many people feel that the entire rest of the world should change to accomodate that one manufacturer's deficiencies. Owen
No. ISPs should not block ports unless they are listed in the AUP as non-permitted traffic or it is a necessary and temporary remedial action for a service-affecting problem.
I fully agree that ISPs should include the list of blocked ports in their AUP. (somewhere in the paper it mentions the confusion caused by uncoordinated filters).
I still do not understand why a manufacturer is permitted to release a product which causes such harm, and, rather than hold that manufacturer liable, so many people feel that the entire rest of the world should change to accommodate that one manufacturer's deficiencies
But should the end user pay for the faults? They already pay for the software and the Internet connection. How many ISPs on this list provide support for non-MSFT operating systems? Does the free CD you hand out run on anything but Windows? 90% + of internet users do use MSFT Windows. So I don't think you have a choice other than to "live with it". -- -------------------------------------------------------------- Johannes Ullrich jullrich@euclidian.com pgp key: http://johannes.homepc.org/PGPKEYS -------------------------------------------------------------- "We regret to inform you that we do not enable any of the security functions within the routers that we install." support@covad.net --------------------------------------------------------------
But should the end user pay for the faults?
The end user is angry because lashing out at the manufacturer gets you routed to a null interface :) why should the ISP pay? (Now that is the question)
They already pay for the software and the Internet connection.
Do you call Microsoft when your "internet" connection is down? (msn.net customers exempted)
How many ISPs on this list provide support for non-MSFT operating systems? Does the free CD you hand out run on anything but Windows?
I think they only support their application (the one they want you to dial-in with) over this operating system, nothing else (meaning the OS itself and this is mostly for residential users, nothing was given to me when I had my last optical circuit handed over...wait let me check...nope nothing).
90% + of internet users do use MSFT Windows. So I don't think you have a choice other than to "live with it".
Wow only 10% of "internet" connected systems are "other than"...!!!!!! I think that it is ridiculous to expect the ISP now to start filtering these ports. The "internet" in itself is nothing more than a communications link, and the ISP's are providers to this link. The purpose of which is the exchange of information over a "public" medium. You want an ISP to begin filtering at the 4th layer (OSI Reference...yikes), why???? Besides alleviating the headaches of some users of a specific manufacturers product, it makes no sense. What would you filter? Before you filter you need a policy in place. For this idea to even be effective you would need a policy that is acceptable among all ISP's, (HA HA HA). Next you need all ISP's to implement these policies consistently and equally throughout their infrastructure (scary). Now you go back to your firewall logs and poof!!!!! Still allot of junk (different junk, but nonetheless junk)!!!! You think it will stop there???? Human nature is suitable for adaptation...now what??? More filters......makes no sense....so there will be no more free exchange of information over a public medium? Since only 90% of internet users use MSFT Windows we should make it a Microsoft friendly network then. Plug and Play your heart out!!!!!! G. Johannes Ullrich writes:
No. ISPs should not block ports unless they are listed in the AUP as non-permitted traffic or it is a necessary and temporary remedial action for a service-affecting problem.
I fully agree that ISPs should include the list of blocked ports in their AUP. (somewhere in the paper it mentions the confusion caused by uncoordinated filters).
I still do not understand why a manufacturer is permitted to release a product which causes such harm, and, rather than hold that manufacturer liable, so many people feel that the entire rest of the world should change to accommodate that one manufacturer's deficiencies
But should the end user pay for the faults? They already pay for the software and the Internet connection. How many ISPs on this list provide support for non-MSFT operating systems? Does the free CD you hand out run on anything but Windows?
90% + of internet users do use MSFT Windows. So I don't think you have a choice other than to "live with it".
-- -------------------------------------------------------------- Johannes Ullrich jullrich@euclidian.com pgp key: http://johannes.homepc.org/PGPKEYS -------------------------------------------------------------- "We regret to inform you that we do not enable any of the security functions within the routers that we install." support@covad.net --------------------------------------------------------------
Gerardo A. Gregory Manager Network Administration and Security 402-970-1463 (Direct) 402-850-4008 (Cell) ------------------------------------------------ Affinitas - Latin for "Relationship" Helping Businesses Acquire, Retain, and Cultivate Customers Visit us at http://www.affinitas.net
Gerardo Gregory wrote:
these ports. The "internet" in itself is nothing more than a communications link, and the ISP's are providers to this link. The purpose of which is the exchange of information over a "public" medium. You want an ISP to begin filtering at the 4th layer (OSI Reference...yikes), why???? Besides alleviating the headaches of some
Hmmm. Perhaps I should shut down my abuse desk and just be a communications link. After all, the user's computer wants to transmit viruses or spam, so why should I stop it? If people run layer 7 filtering to stop abuse, what makes you think they won't run layer 4 to meet the same goals? A lot of networks already run layer 3 filtering for misbehaving networks and bogon filters. Spam filtering takes place at anywhere from 3-7, depending on the network. One can't have it both ways. You either do no filtering and watch the system completely crash as you can't afford the overhead of the malicious content which is on the rise, or you apply filters to protect your network and *the* network overall. Not filtering consumer networks will cause issues at the backbone networks, forcing upgrades and driving prices back up. If we don't protect *our* network, then some governments will start mandating how they'll protect it. I for one do not wish to give up control of what I've designed, built, and improved to people who usually don't know what telnet is, much less ssh. -Jack
Even on Windows they can be used in a much safer fashion (although I would never attempt it for any of my stuff). It is possible to use IPSec policies on 2000 and higher to encrypt all traffic on specified ports to specified hosts/networks and block all other traffic. I bet some people are using this to join remote locations securely to each other for Windows networking with these ports and IPSec policies.
If you explain the difference between "IPSec", "The Web" to an end user, and can convince them that they have "enough Pentium" for it, you win and don't have to block the ports.
That is rubbish. Users do not care about "IPSec". Neither do they care about anything else but having everything work.
There are 10 kinds of people in the world. Those who understand binary and those that don't.
ISPs should either block the mentioned ports, or send out bills in binary.
I encourage my competitors to block as many ports as they possibly can, breaking as many applications as they possibly can, since I would gladly take have their users to pay me money to provide the service. Alex
participants (7)
-
alex@yuriev.com -
Gerardo Gregory -
Jack Bates -
Johannes Ullrich -
Owen DeLong -
Petri Helenius -
Vinny Abello