Re: How to secure the Internet in three easy steps
Not only that, but unless _everyone_ implements 2 and/or 3, all the bad people that exploit the things these are meant to protect will migrate to the networks that lack these measures, mitigating the benefits.
not just the bad people. all the people. a network with 2 or 3 in place is useless. there is no way to make 2 or 3 happen.
This seems to be a catch-22; no one will implement these for the good of the net because it costs money, and ignorant competitors that don't implement them will not share in that expense. Have any such ideas been implemented in the modern internet? How?
neither 2 or 3 would be for the good of the net. 1 would be. the problem with 1 is that the person who feels pain when ISP "A" doesn't do 1 is most likely to be ISP "B". therefore people confuse 1 with "internet altruism" rather than the "rational selfishness" that it is.
On Fri, 25 Oct 2002, Paul Vixie wrote:
Not only that, but unless _everyone_ implements 2 and/or 3, all the bad people that exploit the things these are meant to protect will migrate to the networks that lack these measures, mitigating the benefits.
not just the bad people. all the people. a network with 2 or 3 in place is useless. there is no way to make 2 or 3 happen.
AOL? I believe they proxy almost all their subscribers through several large datacenters, and don't allow users to run their own servers. @Home prohibited customer servers on their network, blocked several ports, and proxied several services. Its common for ISPs outside of the US to force their customers to use the ISP's web proxy server, even hijacking connections which attempt to bypass it. As part of their anti-spam efforts, several providers block SMTP port 25, and force their subscribers to only use that provider's SMTP relay/proxy to send mail. Why not extend those same restrictions to other (all) protocols? Many corporate networks already proxy all their user's traffic, and prohibit direct connections through the corporate firewalls. I think its a bad idea, but techincally I have a hard time saying its technically impossible.
Actually, I'm not certain but athome didn't seem to proxy or block anything. I ran my home linux box off at home for a while and never had any problem with any ports including http and mail. Also, it seems to me that I tried something similar for a goof with an aol dialup and it worked as well. On Fri, 25 Oct 2002, Sean Donelan wrote:
On Fri, 25 Oct 2002, Paul Vixie wrote:
Not only that, but unless _everyone_ implements 2 and/or 3, all the bad people that exploit the things these are meant to protect will migrate to the networks that lack these measures, mitigating the benefits.
not just the bad people. all the people. a network with 2 or 3 in place is useless. there is no way to make 2 or 3 happen.
AOL? I believe they proxy almost all their subscribers through several large datacenters, and don't allow users to run their own servers.
@Home prohibited customer servers on their network, blocked several ports, and proxied several services.
Its common for ISPs outside of the US to force their customers to use the ISP's web proxy server, even hijacking connections which attempt to bypass it.
As part of their anti-spam efforts, several providers block SMTP port 25, and force their subscribers to only use that provider's SMTP relay/proxy to send mail. Why not extend those same restrictions to other (all) protocols?
Many corporate networks already proxy all their user's traffic, and prohibit direct connections through the corporate firewalls.
I think its a bad idea, but techincally I have a hard time saying its technically impossible.
On Fri, 25 Oct 2002, Sean Donelan wrote: :Many corporate networks already proxy all their user's traffic, and :prohibit direct connections through the corporate firewalls. : :I think its a bad idea, but techincally I have a hard time saying its :technically impossible. Well, it is also technically possible to have users register using biometrics to access the Internet and that still seems sci-fi distopian enough that I'm not losing sleep over it yet. There are definitely service class distinctions between a local DSL provider and a cable provider, and provided that american competition laws stave off the converged telcos running the local providers out of business, there is still hope. It may be all retro to dredge up the dreaded road metaphor, but these cable services are really similar to suburbs. They are homogeneous areas built to serve a set of residential consumers with a limited, though uniform definition. To get to the "core" they require the use of a proprietary device or proxy to mediate their interactions with the rest of civil society. People pay a premium to be closer to the core and do so because of a vaguely articulated but strongly felt sense of "quality". The whole metaphor is irritating, but from a market perspective the economics are similar. A vast majority of people will give up the subtle quality of a real connection, for a cheaper version that serves their relatively limited needs. Since the largest market will be made of up people with these lower expectations, the only way to make money will be to serve them. It makes services closer to the core more scarce, and thus more expensive to maintain, and it will eventually only be populated by businesses that can afford the premium, and people that don't pay at all and have nowhere else to go. The Internet is starting to look alot like Minneapolis-St. Paul. -- batz
Sean, At Home's policy was that servers were administratively forbidden. It ran proactive port scans to detect them (which of course were subject to firewall ACLs) and actioned them under a complex and changing rule set. It frequently left enforcement to the local partner depending on contractual arrangements. It did not block ports. Non-transparent proxing was used for http - you could opt out if you knew how. While many DSL providers have taken up filtering port 25, the cable industry practice is mostly to leave ports alone. I know of one large cable company that did the right thing and implemented SMTP authentication for their mail service. The world would be a different place if client to server mail submission was done in an authenticated manner consistently across the Internet. Its amazing how many ISPs don't implement this best practice. Regards, Eric Carroll -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Sean Donelan Sent: October 25, 2002 5:36 PM To: Paul Vixie Cc: nanog@merit.edu Subject: Re: How to secure the Internet in three easy steps On Fri, 25 Oct 2002, Paul Vixie wrote:
Not only that, but unless _everyone_ implements 2 and/or 3, all the bad people that exploit the things these are meant to protect will migrate to the networks that lack these measures, mitigating the benefits.
not just the bad people. all the people. a network with 2 or 3 in place is useless. there is no way to make 2 or 3 happen.
AOL? I believe they proxy almost all their subscribers through several large datacenters, and don't allow users to run their own servers. @Home prohibited customer servers on their network, blocked several ports, and proxied several services. Its common for ISPs outside of the US to force their customers to use the ISP's web proxy server, even hijacking connections which attempt to bypass it. As part of their anti-spam efforts, several providers block SMTP port 25, and force their subscribers to only use that provider's SMTP relay/proxy to send mail. Why not extend those same restrictions to other (all) protocols? Many corporate networks already proxy all their user's traffic, and prohibit direct connections through the corporate firewalls. I think its a bad idea, but techincally I have a hard time saying its technically impossible.
On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote:
Sean,
At Home's policy was that servers were administratively forbidden. It ran proactive port scans to detect them (which of course were subject to firewall ACLs) and actioned them under a complex and changing rule set. It frequently left enforcement to the local partner depending on contractual arrangements. It did not block ports. Non-transparent proxing was used for http - you could opt out if you knew how.
While many DSL providers have taken up filtering port 25, the cable industry practice is mostly to leave ports alone. I know of one large
Untrue, AT&T filters the following *on* the CPE: Ports / Direction / Protocol 137-139 -> any Both UDP any -> 137-139 Both UDP 137-139 -> any Both TCP any -> 137-139 Both TCP any -> 1080 Inbound TCP any -> 1080 Inbound UDP 68 -> 67 Inbound UDP 67 -> 68 Inbound UDP any -> 5000 Inbound TCP any -> 1243 Inbound UDP And they block port 80 inbound TCP further out in their network. Overall, cable providers more heavily than cable providers. I'd say that AT&T represents a fair amount of the people served via cable internet.
Regards,
Eric Carroll
-- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Not really On Sun, 27 Oct 2002, Matthew S. Hallacy wrote:
On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote:
Sean,
At Home's policy was that servers were administratively forbidden. It ran proactive port scans to detect them (which of course were subject to firewall ACLs) and actioned them under a complex and changing rule set. It frequently left enforcement to the local partner depending on contractual arrangements. It did not block ports. Non-transparent proxing was used for http - you could opt out if you knew how.
While many DSL providers have taken up filtering port 25, the cable industry practice is mostly to leave ports alone. I know of one large
Untrue, AT&T filters the following *on* the CPE:
Ports / Direction / Protocol
137-139 -> any Both UDP any -> 137-139 Both UDP 137-139 -> any Both TCP any -> 137-139 Both TCP any -> 1080 Inbound TCP any -> 1080 Inbound UDP 68 -> 67 Inbound UDP 67 -> 68 Inbound UDP any -> 5000 Inbound TCP any -> 1243 Inbound UDP
And they block port 80 inbound TCP further out in their network. Overall, cable providers more heavily than cable providers.
I'd say that AT&T represents a fair amount of the people served via cable internet.
Regards,
Eric Carroll
-- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
------------------------- Joseph Barnhart Florida Digital Turnpike Network Administrator http://www.fdt.net http://www.agilitybb.net -------------------------
actually with the merger of At&t and comcast most cable inet customers will be through them. Joseph Barnhart wrote:
Not really
On Sun, 27 Oct 2002, Matthew S. Hallacy wrote:
On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote:
Sean,
At Home's policy was that servers were administratively forbidden. It ran proactive port scans to detect them (which of course were subject to firewall ACLs) and actioned them under a complex and changing rule set. It frequently left enforcement to the local partner depending on contractual arrangements. It did not block ports. Non-transparent proxing was used for http - you could opt out if you knew how.
While many DSL providers have taken up filtering port 25, the cable industry practice is mostly to leave ports alone. I know of one large
Untrue, AT&T filters the following *on* the CPE:
Ports / Direction / Protocol
137-139 -> any Both UDP any -> 137-139 Both UDP 137-139 -> any Both TCP any -> 137-139 Both TCP any -> 1080 Inbound TCP any -> 1080 Inbound UDP 68 -> 67 Inbound UDP 67 -> 68 Inbound UDP any -> 5000 Inbound TCP any -> 1243 Inbound UDP
And they block port 80 inbound TCP further out in their network. Overall, cable providers more heavily than cable providers.
I'd say that AT&T represents a fair amount of the people served via cable internet.
Regards,
Eric Carroll
-- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
------------------------- Joseph Barnhart Florida Digital Turnpike Network Administrator http://www.fdt.net http://www.agilitybb.net -------------------------
-- May God Bless you and everything you touch. My "foundation" verse: Isiah 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD.
At 09:03 PM 10/27/2002 -0500, William Warren wrote:
actually with the merger of At&t and comcast most cable inet customers will be through them.
Until that happens however: In a public press release dated August, they claim to have 1.8 million Internet customers. How that compares to the global pool of cable users, I cannot say. It'll be interesting to see if att exports their filtering policies to the newly acquired customers. They'll want to support a uniform configuration across the whole network, I'm sure. --schulte
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Christopher Schulte Sent: October 27, 2002 9:22 PM To: William Warren; nanog@merit.edu Subject: Re: How to secure the Internet in three easy steps
In a public press release dated August, they claim to have 1.8 million Internet customers. How that compares to the global pool of cable users, I cannot say.
One cable company I've done business here (Ontario, Canada) has over 500K subscribers, and I don't believe it has the largest number of cable modems in the country. So you're probably talking around 1.5-2 million cable modems north of the border. Then you have Europe (I think .nl has decent cable modem penetration), Asia-Pacific, etc.
It'll be interesting to see if att exports their filtering policies to the newly acquired customers. They'll want to support a uniform configuration across the whole network, I'm sure.
They apparently don't have a uniform configuration now; we have lots of people using AT&T BI complaining about blocked port 80s and whatnot, and yet we have some other AT&T BI users in different locations (but I think both were formerly-@Home AT&T BI areas) who don't have any ports blocked. Bizarre, I have to say. Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
In a public press release dated August, they claim to have 1.8 million Internet customers. How that compares to the global pool of cable users, I cannot say.
One cable company I've done business here (Ontario, Canada) has over 500K subscribers, and I don't believe it has the largest number of cable modems in the country. So you're probably talking around 1.5-2 million cable modems north of the border. Then you have Europe (I think .nl has decent cable modem penetration), Asia-Pacific, etc.
Very cute. It is clear that the posters forgot how cable industry "counts" subscribers. The details came out during Adelphia bankruptcy. Since that time every cable co basically said "yep, that's how we do it too". Here's counting subscribers the cable industry way: They take a total revenue that's somehow gets associated with selling cable and divide it by the price of the basic cable. The resulting number is the number of subscribers that they claim to have. Alex
Wow! They just don't count subscribers:). I realize one way makes more sense from a "we've got more subscribers than you do sense" but it wouldn't be that hard to count real subscribers one wouldn't think. On Mon, 28 Oct 2002 alex@yuriev.com wrote:
In a public press release dated August, they claim to have 1.8 million Internet customers. How that compares to the global pool of cable users, I cannot say.
One cable company I've done business here (Ontario, Canada) has over 500K subscribers, and I don't believe it has the largest number of cable modems in the country. So you're probably talking around 1.5-2 million cable modems north of the border. Then you have Europe (I think .nl has decent cable modem penetration), Asia-Pacific, etc.
Very cute. It is clear that the posters forgot how cable industry "counts" subscribers. The details came out during Adelphia bankruptcy. Since that time every cable co basically said "yep, that's how we do it too".
Here's counting subscribers the cable industry way:
They take a total revenue that's somehow gets associated with selling cable and divide it by the price of the basic cable. The resulting number is the number of subscribers that they claim to have.
Alex
On Mon, 28 Oct 2002 11:05:44 EST, alex@yuriev.com said:
They take a total revenue that's somehow gets associated with selling cable and divide it by the price of the basic cable. The resulting number is the number of subscribers that they claim to have.
This of course is perfectly fine, as long as all subscribers are only paying the basic rate. Adjusting for the number of people who pay for premium services such as movie packages or cable-internet services without knowing the number of people that have that package is left as an exercise for the auditors and/or prosecutors... ;) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
I Second that. AT&T blocks ports (depending where you are) but won't come right out and say it. On a call to them over a year ago while testing DSL versus Cable in San Jose, it took almost an hour to get them to admit that they were blocking ports 137-139, and even then there was no formal acknowledgement of this blocking. If I was a betting man, which I'm not, I'd bet on them blocking udp 53 as well. No standard as I see it, depends on the child company managing the cable service. Just my 2¢s tho -Joe ----- Original Message ----- From: "Joseph Barnhart" <flaboy@fdt.net> To: "Matthew S. Hallacy" <poptix@techmonkeys.org> Cc: <nanog@merit.edu> Sent: Sunday, October 27, 2002 8:46 PM Subject: Re: How to secure the Internet in three easy steps
Not really
On Sun, 27 Oct 2002, Matthew S. Hallacy wrote:
On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote:
Sean,
At Home's policy was that servers were administratively forbidden. It ran proactive port scans to detect them (which of course were subject
to
firewall ACLs) and actioned them under a complex and changing rule set. It frequently left enforcement to the local partner depending on contractual arrangements. It did not block ports. Non-transparent proxing was used for http - you could opt out if you knew how.
While many DSL providers have taken up filtering port 25, the cable industry practice is mostly to leave ports alone. I know of one large
Untrue, AT&T filters the following *on* the CPE:
Ports / Direction / Protocol
137-139 -> any Both UDP any -> 137-139 Both UDP 137-139 -> any Both TCP any -> 137-139 Both TCP any -> 1080 Inbound TCP any -> 1080 Inbound UDP 68 -> 67 Inbound UDP 67 -> 68 Inbound UDP any -> 5000 Inbound TCP any -> 1243 Inbound UDP
And they block port 80 inbound TCP further out in their network. Overall, cable providers more heavily than cable providers.
I'd say that AT&T represents a fair amount of the people served via cable internet.
Regards,
Eric Carroll
-- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
------------------------- Joseph Barnhart Florida Digital Turnpike Network Administrator http://www.fdt.net http://www.agilitybb.net -------------------------
Blocking ports 137-139 is of great benefit to the vast majority of their customers. It is also of benefit to AT&T, as it cuts down on support calls. Of course, documenting this would be good. - Daniel Golding On Sun, 27 Oct 2002, Joe wrote:
I Second that.
AT&T blocks ports (depending where you are) but won't come right out and say it. On a call to them over a year ago while testing DSL versus Cable in San Jose, it took almost an hour to get them to admit that they were blocking ports 137-139, and even then there was no formal acknowledgement of this blocking. If I was a betting man, which I'm not, I'd bet on them blocking udp 53 as well.
No standard as I see it, depends on the child company managing the cable service.
Just my 2�s tho -Joe
----- Original Message ----- From: "Joseph Barnhart" <flaboy@fdt.net> To: "Matthew S. Hallacy" <poptix@techmonkeys.org> Cc: <nanog@merit.edu> Sent: Sunday, October 27, 2002 8:46 PM Subject: Re: How to secure the Internet in three easy steps
Not really
On Sun, 27 Oct 2002, Matthew S. Hallacy wrote:
On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote:
Sean,
At Home's policy was that servers were administratively forbidden. It ran proactive port scans to detect them (which of course were subject
to
firewall ACLs) and actioned them under a complex and changing rule set. It frequently left enforcement to the local partner depending on contractual arrangements. It did not block ports. Non-transparent proxing was used for http - you could opt out if you knew how.
While many DSL providers have taken up filtering port 25, the cable industry practice is mostly to leave ports alone. I know of one large
Untrue, AT&T filters the following *on* the CPE:
Ports / Direction / Protocol
137-139 -> any Both UDP any -> 137-139 Both UDP 137-139 -> any Both TCP any -> 137-139 Both TCP any -> 1080 Inbound TCP any -> 1080 Inbound UDP 68 -> 67 Inbound UDP 67 -> 68 Inbound UDP any -> 5000 Inbound TCP any -> 1243 Inbound UDP
And they block port 80 inbound TCP further out in their network. Overall, cable providers more heavily than cable providers.
I'd say that AT&T represents a fair amount of the people served via cable internet.
Regards,
Eric Carroll
-- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
------------------------- Joseph Barnhart Florida Digital Turnpike Network Administrator http://www.fdt.net http://www.agilitybb.net -------------------------
On Sun, Oct 27, 2002 at 07:42:10PM -0600, Matthew S. Hallacy wrote:
And they block port 80 inbound TCP further out in their network. Overall, cable providers more heavily than cable providers.
^-- s/cable/DSL/; -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
participants (14)
-
alex@yuriev.com
-
batz
-
Christopher Schulte
-
dgold
-
Eric M. Carroll
-
Joe
-
Joseph Barnhart
-
Matthew S. Hallacy
-
Paul Vixie
-
Scott Granados
-
Sean Donelan
-
Valdis.Kletnieks@vt.edu
-
Vivien M.
-
William Warren