Should ISPs Be The Little Man's Firewall? 790
Anonymous Coward writes "In a paper published today, the point is made that ISPs should filter some ports (e.g. 135) for good. I guess given what everyone sees hitting their various firewalls these days, this may make sense. But wasn't the Internet supposed to be 'open' at one point? Or are we to the point where Internet=Web (and maybe AIM). The author of the paper is operating DShield and I guess has some insight into this issue. He made the same points before on various mailing lists."
At MOST it should be optional... (Score:5, Insightful)
Re:At MOST it should be optional... (Score:5, Insightful)
I'm not sure if I agree with myself, but shouldn't it be opt-in by default, and presumably the people with a clue will know how to opt out? After all, the clueless in the world won't even figure out that they SHOULD opt in. Since the infected machines of the clueless mess up the internet experience for pretty much everyone, this makes sense to me. Of course, there should be some prominent notification so that those of us who know what we are doing can opt-out if we so choose.
Re:At MOST it should be optional... (Score:4, Insightful)
You're absolutely correct. Just look at the way email filtering works. Spam filters are (by default) turned on, so this could follow suit. You can always opt-out of this service, and get the full email-experience. But you don't see mass complaints about how our email rights are being restricted by the ISP.
And of course, you can opt-out of email filtering. So is port blocking really such a big deal? Just opt-out and make sure it doesn't cost any extra. Hell, filtering from my previous ISP actually costs more. Make port blocking a "feature" of the ISP, charge a buck or more, and save the commoner from having to learn about updating computer systems. Win-win.
Re:At MOST it should be optional... (Score:4, Informative)
135,136,137,445,31337 in any direction,25 and 119 incoming, and other l33t ports. It has been a common practice in many countries to block them off for 7+ years. Off the top of my head I can think of at least 3 big Bulgarian ISPs, 1 Russian, 3 Dutch, 1 UK, 2 German so on so forth that have been doing this for years. These are the ones I know and there are much more out there.
Also note that the port lists deals only with ports related to l33t script kdd10tz behaviour and SPAM. Ssh, ftp, http which are commonly prohibited by US ISPs are not there
Also, I have not heard about any of their customers complaining despite the fact that it is not even opt-out. It is so old that it was implemented in the days when you could not chose an ACL via radius so it is a fixed access list on all interfaces. And I think it should be.
Re:At MOST it should be optional... (Score:5, Informative)
Oh, and by the way: Even before I opted out of their firewall, I could play pretty much all online games (but not host). So I suppose very few people will even notice they have the firewall.
Re:At MOST it should be optional... (Score:3, Interesting)
For example most of the countries mentioned have had QoS aware backbones with major ISPs for 7+ years. US still does not have one (I do not count Level3 abuse of diffserv as such. It is too crude). VOIP as a major means of international connectivity has existed for 6+ years. So on so forth.
Re:At MOST it should be optional... (Score:3, Interesting)
Re:At MOST it should be optional... (Score:5, Informative)
If everyone is subscribed by default, it's out-out.
Opt-in means you don't have it until you ask.
The word you mean is opt, not opt-in, not opt-out. You opt to get the service in opt-int. And you opt out of the service, in opt-out.
Spam right now is "opt-out" you get it until you sue the spammer. Software development mailing lists are opt-in, you have to confirm you want it, before they give it to you.
And another thing, knowing the profit margins of local isps, don't expect firewalling to be free, that's kinda good, if they make it an "option" say 1-2$/month/ip protected. That would make some larger providers happy too, they want you to pay more the more machines you have. (Nat of course, covers that, but that is a firewall function, isn't it?
Re:At MOST it should be optional... (Score:5, Insightful)
The only ones that weren't regularly blocked like that were web ftp and mail to their servers.
As soon as one of the larger ISPs started operating here I switched over, and the dodgy blocking one had a huge sob story in the local paper about small businesses being forced out by large corporations. More like small businesses who have no clue what users want.
Re:At MOST it should be optional... (Score:4, Interesting)
Really though, why should an ISP provide a shell account when they have webmail? Opera was getting abused by people to get around traffic limitations, just like the new shell.iinet will be. Almost no other ISPs in Australia and pretty much none in the US offer shell accounts. It's not an ISPs core business. If you want a machine you can access remotely, get a permanent connection and set one up yourself.
shell accounts? (Score:5, Insightful)
If one is on a dialup, it's really handy to be able to go upstream of one's mail client in order to block the multimeg file attachment some spammer or clueless friend thinks I need.
A shell account saved my ass when Sobig.F hit.
Some moron from dsl.net with an infected box hit mine with viral spams by the thousands on top of the rest of the Sobig viral spam I got. Being able to configure my .procmairc file at my provider made it possible for me to shitcan everything with a .scr or .pif before I downloaded it via mail client. Without the shell, my account would have been useless to me for weeks and having my ISP clean it out would probably have cost them hours, i.e. hundreds of bucks worth of sysadmin time. With it, I pretty much took care of myself.
One should not have to run one's own mail server in order to do this. A shell is a good thing even for an ISP in the hands of those who can use it properly.
This doesn't mean that users necessarily need to get one by default, though. Personally, I don't ever intend to get an internet account that doesn' t have one.
Re:shell accounts? (Score:5, Informative)
So you don't have to download all the files to delete them, pop3 has features in place. You just need a decent mailreader or telnet to use the functionality (some MUAs does implement a kind of preview before download).
Re:At MOST it should be optional... (Score:3, Insightful)
My university not only blocks certain ports from the internet, such as the dcom ports, but also blocks them across subnets so it even keeps worms from spreading across our network. Is this useful? Absolutely. On the other hand, last year they tried to block IRC traffic by simply blocking port 6667. They wound up lifting the ban af
Re:At MOST it should be optional... (Score:5, Informative)
If you know anything about opening a port, then you are ahead of 99% of those connected, and know what you are doing. Thus, you can opt out.
This wouldn't prevent you from using blocked ports.
It would be, by far, less of an inconvenience that the shit that goes on now with everything wide open.
Re:At MOST it should be optional... (Score:4, Insightful)
if you set it up so that everyone is behind a big firewall in the sky (which is what this would be) then what you end up with is ISP's saying "why do you want to opt-out" Or that you can't opt-out at all and you get stuck with their shitty firewall rules. you might also run into a problem where they will put you on this shitty little subnet with slower speeds/connection issues if you do opt out.
by saying it should be opt-out (in by default) then you put more power into the ISP's hands. and im sorry i already have enough issues with my ISP, the last thing i want to see is Time warner blocking port 53 incoming, or some other such cruft. (*cough* blocking msn *cough*)
Re:At MOST it should be optional... (Score:3, Insightful)
Every time a new user signs up, they should be offered a free port-blocking service, with a list of ports and what they're used for that is worded so anyone can figure it out.
Would it be feasible to set this up so the user can check off those ports they want blocked? or at least offer a "common ports to block" and have them use a different access point depending on their desired setup? I'd think the paranoid would be willing to pay a buck
Re:At MOST it should be optional... (Score:3, Insightful)
the internet is mostly privately owned, and as such can police itself on a company by company basis, the american (hypocrisy) gov't has no place or right to attempt to control or police the internet.
secondly there are actually very few safe gaurds in place to protect me from assholes who drive, there are ho
Re:At MOST it should be optional... (Score:5, Insightful)
Just like an operating system, a connection service should be "secure by default".
99% of the users in this world have no need for open ports. When they do, they can mostly accept that opening those ports poses risks, and they can be educated on the risks.
(Now, if an ISP was to charge you more for opening those ports, that would be different; a one-off administration fee, maybe, but that's it)
Re:At MOST it should be optional... (Score:4, Insightful)
Filtering ports is just another step to the path of 'ISP' meaning direct connection to the email they want you to see, the webpages their proxy allows, and the IM they want you to have. I'd much rather they just provide the service and let whats done with it be up to the users.
As for fixing the 'current state' -- Let users control firewall rules concerning their line. If someones being packeted with syns from random source with a static dest port of 113, they should be able to make their isp drop all of them.
People dont realise that when an isp filters a port, its NOT optional. You can call and complain all you like, good luck even finding someone that understands what you're complaining about let alone having it enabled for you.
Re:At MOST it should be optional... (Score:4, Funny)
As they say on the mailing lists: I encourage my competitors to run their networks this way.
Re:At MOST it should be optional... (Score:3, Funny)
99% of the users in this world have no need for open ports.
Damned straight! 99% or the users in this world should have ALL ports closed, inbound *and* outbound. Get them lusers offa my Internet. I'm willing to let them have a NATed IP address, but them open ports gotta go. Especially port 25. And 80. I might let 'em keep 21, but NO 20, and no PASV crap, either [cackles maniacally].
Options are good. (Score:5, Insightful)
Some ISPs could advertise that they block $a, $b, and $c, as a security measure. If the customer doesn't want to think about security, they go with those ISPs. Others could advertise they allow access to the entire net. I would sign up for that, and do my own security.
Of course, for this to work there actually needs to be competition in the ISP realm. Not a given at the moment.
Re:Options are good. (Score:4, Interesting)
Second, inevitably ISPs will claim it cost them to open up the rest of the ports, and you WILL get charged for it...
Third, cold day in hell when broadband is competitive to a majority of people in the USA.
I have 2 windows boxes and have yet to get infected. The way I see it, those that get infected eventually die off... Leaving only the fittest of boxen.
Rather than have ISP block ports.. (Score:3, Insightful)
Re:Rather than have ISP block ports.. (Score:3, Informative)
Re:At MOST it should be optional... (Score:5, Insightful)
this isnt even touching the fact that the ISP's would then view anyone not running windows or mac as a security risk and would refuse to open the ports until we run a "standard OS".
thanks i'd rather avoid that problem. ISP's job is to run the damn line to my house and make sure their routing tables, mail, dns etc are working correctly, nothing more, nothing less.
The ISP I work for... (Score:5, Informative)
Overall, I help stop another hundred thousand or so Win32 users from pounding the net to death. I don't see how anyone could see this as a bad thing. (welcome input)
a bad thing (Score:3, Insightful)
Then you (as well as your employers) are very short sighted. I could well be using those ports. Many software programs that dynamically allocate ports likely will use some ports you block, and users applications will just fail "randomly". And, of course, your tech support people will deny all knowledge of it. Or, in the case of well known ports such as port 135 mentioned in the original posting, I've actually used port 135 to share ent
Re:a bad thing (Score:5, Insightful)
And how can you demand people to learn computer security if you think it's excessive to require you to opt-out from the isp firewall?
Re:a bad thing (Score:5, Insightful)
As many have mentioned here, these services should be requested by people who understand what they're doing. For the rest, it just doesn't matter.
Re:a bad thing (Score:5, Informative)
James
Re:a bad thing (Score:4, Insightful)
Re:Agreed (Score:3, Insightful)
Re:The ISP I work for... (Score:3, Insightful)
I would like my ISP to provide firewall services, but not in such an automated manner. Or, rather there should be a web interface like my ISP has for reverse-dns. There should be a checkbox for unfiltered, for autofiltering by ISP with or without notification of filter rule changes, and some way to block/unblock common things yourself by name
absolutley not... (Score:4, Insightful)
Re:absolutley not... (Score:5, Informative)
Case in point: I was not affected at all by Sobig.F directly, however I did see my mail gateways come under incredible load, my IDS's fill DB's with Sobig warnings, my users encounter endless confusion at bouncebacks from dumb virus scanners that claim we are infected since Sobig is a SMTP forger. Sobig wasted a lot of my resources and time even though it didn't infect a single one of my 1700+ users. It was rather benign though, I'm afraid of what comes next [blanu.net].
Re:absolutley not... (Score:3, Insightful)
But the general public is not quite so stupid as you make them out to be either. After these folks get hit once, the start to care. They can fix the problem quite simply, with a $50 hardware firewall/nat router they should probably have anyway, or a free software firewall like Kerio. All the ISPs really need to do is a little education.
Re:absolutley not... (Score:5, Insightful)
I do know that I can find the proxy in this case, and how to find them. Still I think, getting a firewall and plugging it in or installing it can be a difficult concept for the general computing public to get today. I hope that changes, and I think it *is* changing for the better.
Power users should be able to opt-out (Score:5, Interesting)
Re:Power users should be able to opt-out (Score:5, Insightful)
Well, what's going to happen is: The ISPs will eventually block most ports, "'cause most users don't need 'em." and that'll help some people. "Power users" will be able to pay an extra fee to get the ports unblocked - a "setup" or "administration" fee. Probably even a per-month fee, so they can
This will suck for a while. Especially when they block port 22 at first, because they forgot about SSH. Then eventually most things will be re-written to tunnel through port 80, making everything more complicated (multiple servers switching on the same port). And of course, the worms will follow.
The point is, there is a reason these ports exist in the first place -- they allow some flexibility and simplify communications. What they're really saying is "We don't like the way the internet is designed. So we're going to break it. Sucks to be you."
Z.
Blocking at ISP end or User end (Score:5, Insightful)
There are some exceptions, though - if you're getting a high-volume flood of some sort (DDOS attacks, Slammer worms, ping floods, etc.), it's nice to be able to turn it off at the ISP's end of the wire, because that prevents your bandwidth from getting stepped on by the attackers, while otherwise you might be unable to get any effective work done because 99% of your bandwidth is the attack.
Many ISPs are filtering already (Score:2, Interesting)
As for me, I use Qwest and have found that they will not allow me to keep an open TCP session, meaning my SSH sessions constantly stall.
Calling tech support resulted in an entertaining conversation during which the support guy insisted that if I could "browse my webs" everything was working.
Oh well, time to change ISPs...
Optimum Online already blocks 135 (Score:2)
Though I really want to blame all the morons with unpatched IIS servers, there's this little voice in my head that's telling me that Optimum Online was more than happy to prevent those of us that don't want to pay $100+ for "business accounts" from running web servers.
By the way, a friend of mine in Houston told me his cable provider keeps all its users behind a NAT - no incoming connecti
I'm in the middle. (Score:5, Insightful)
Wow. Moderation works! (Score:5, Interesting)
Just like self-administered hosting services have successfully provided "servers for the little man" through virtual hosts and web configuration interfaces, ISPs could provide security for the average joe.
Integrate the UI well with your webmail (spam-filtering, etc) and other services, and your ISP portal can actually be more useful than as a bandwidth test.
Absolutely (Score:5, Interesting)
Filter by default - if you need your ports or you want to do your own firewalling then get the "advanced user" account that costs less but requires more responsibility from the user.
If anything this is just an opportunity for ISP's to make another value added service to sell.
Re:Absolutely (Score:3, Insightful)
No, you've got it entirely backwards.
It's the "family" account that will cost less. The "family" account will include traffic filtering and it will come with a service charge for every webpage viewed and every email sent. Traffic filtering will ensure that that your Internet activity will remain limited to the viewing of webp
The problem (Score:3, Insightful)
1) ISP blocks ports/services/etc and won't unblock them. Claim it is for securtiy, etc and just won't do it any other way. We had this problem with Cox. They disallowed any VPNs on their normal cable accounts. Our university uses VPNs extensively. It came down to us explaning to them that we would recommend people go with a different provider if they didn't change the rules. Of cour
a great idea imo (Score:2, Interesting)
On the other hand, ISPs may add an option to get an advanced connection, in which all the ports are open.
my 0.02$
A problem? (Score:5, Insightful)
Ports are not the problem (Score:4, Insightful)
I want what I am paying for. (Score:3, Interesting)
Any ISP that mandates filtering should also provide significant discounts to their customers as they are no longer providing a full raw feed. Of course, this will never happen as the filtering will increase the ISPs operating cost so the end result will be less service at a higher price.
Block my ports and I move to another ISP. If enough ISPs start blocking ports to the point that I can no longer find one that meets my needs, then I will open my own again because the demand for the small ISP will be back.
You want to have your cake and eat it, too! (Score:5, Insightful)
And yet the most common complaint I hear from people is how they paid for lots of bandwidth but they're always the victim of lag and dropped packets. Blocking ports 135-139 would eliminate a substantial amount of the background "noise" that's taking a bite out of your bandwidth.
If someone *needs* to share 135-139 over a public network then they should be using a VPN anyway.
No... (Score:5, Insightful)
If my ISP was protecting me, I would be complacent and I can see myself not updating the scanners / firewall on my notebook and getting hit the next time I went on the road.
The next issue is liability. If an ISP claims to protect and a luser gets infected, they're going to sue (atleast in a north American situation).
Should have designed it that way... (Score:3, Interesting)
It would keep a lot of services that aren't supposed to go outside the home where they belong, and if you didn't want that, you could put the service on a "public" port. What is happening now is basicly patchwork by individual ISPs, blocking ports but with little coordination.
I want to have a free Internet where you can use any port you want. But there are also quite a few services that shouldn't be accessible from the Internet too, customer-side firewall or not. Latest and greatest is the Messenger service SPAM. Why would such a service be open to the world? But there's no "private" port you can put it on where only LAN requests come through. Not unless you do IP filtering, but wouldn't it be just as easy to have some port range that you simply know won't be sent to/recieved from by your ISP?
Kjella
Question (Score:4, Insightful)
Personally, I love the idea of having ports. It allows a lot of intrasystem communication, even if it isn't the best way of doing it, and it allows many many services to run on one machine. hell, without TCP, we wouldnt have IMAP or POP3 or SMTP etc.. (unless someone did them from a web front, sorta like yahoo, but then it's the same thing on their end....) Somewhere down the line, people have gotta realize, fixing the problem doesn't mean you have to break something else in the first place. ISP's need to let the users deal with viruses, even if they are 100% computer illiterate. Maybe they should offer a service where they will patch your system for a price, instead of simply blocking a port that someone may have been using constructively. This really outrages me, because Adelphia, my Cable provider, has killed so many ports due to virus outbreakes (Codered killed 80, MSBlaster killed 135, 139, 4444, and a bunch of UDP ports), ports that I would have liked to use (port 80 mainly). I have to redirect to 8080, and not many people will know how to do that. Please people, think before doing something so drastic as cutting off all the ports... There are much better solutions.
Slippery Slope (Score:3, Interesting)
Sure this starts out helping the net in general and preventing everything from going to hell when the next virus comes out.....but what if the RIAA after some successful lawmaking decides that whatever ports Kazaa is running on are bad/illegal and must be blocked? Or what if program X runs on port Y and whatever group doesn't like it decides to block it? Obviously there are other ways around it....but not everybody knows those. Maybe I'm just being paranoid....but with some of the things that have happened lately, who's to say.
Some thoughts.... (Score:5, Insightful)
My god this is a dangerous road to be going down (Score:5, Insightful)
- ISPs start blocking ports
- All software uses port 80
- ISPs start using more complex and intrusive filtering that blocks everything that doesn't look like MSIE
- The internet is officially shit
I can't fucking wait.Broken beyond repair? (Score:5, Insightful)
Well, I guess the underlying assumption here is that the software using the ports 135, 137, 139, and 445 is broken beyond repair either from the security perspective or then the software is very hard to configure properly (because it seems people accidentally misconfigure it to be open to the entire Internet). Either way, the suggested measure would be an unnecessary limit of free communication for no other reason than a common implementation of certain protocols.
If it is possible for clueless users to accidentally run software that puts their computers at great risk, then I say there is a serious usability problem here. If the software implementation and/or protocols itself are insecure, providing a better implementation/protocol is a step towards better future. Trying to shift the responsibility to ISPs isn't the way to go.
I pay for bandwidth - don't block any of my ports! (Score:4, Insightful)
I pay for bandwidth, plain and simple. I want every port open for whatever use I so desire, with no blockage from the ISP period.
Some morons at certain ISPs recently decided to block all pings, period, on their broadband networks. I run a small computer consulting business, one of my specialties is ipsec-connected subnet-to-subnet VPNs for small businesses with dynamic IP broadband connections. The scripts that make all this work depend(ed) on being able to ping various places to determine if the internet was up, if the peer host was up, and if the tunnel was up.
Since someone didn't RTFM on stateful packet filtering, and figure out how to safely allow ping traffic while blocking DDOS attacks, all my scripts broke (well, among those home users using those certain ISPs that connected into the office). Who in the seven hells ever thought an ISP would block ping!!! I can see a popular website doing it, but an ISP?!? Across their entire network?!?!? Baka!
Anyway, I had to quickly rewrite the scripts to pull entire webpages down to test connectivity, and dump them into the bit bucket, instead of nice, tiny little ping packets. (Let's see 'em block http) Wastes bandwidth, and less elegant too! wheee!
Cookie-cutter broadband ISPs without the technical knowledge to properly configure their routers are NOT people who I want determining what ports/protocols I can and can't use. I pay for bandwidth. Leave my ports alone!
Block All Incoming Connections (Score:5, Interesting)
Security-wise, this would block many worms (both present and future) because they would simply be unable to connect to any system. Besides that, it would also block backdoor trojans like NetBus and BackOrfice because, although they'd still be listening, no one would be able to connect to them and control the user's system.
To address the NAT-type problems that this would create, ISPs could automatically make certain exceptions for port blocks that interfere with popular games and whatnot. For advanced users, there would be a control panel (much like those built into NAT firewalls) where they could unblock any or all of the ports.
A compromise position (Score:5, Insightful)
However, it is the ISP's job to maintain service quality for the other thousand people served by the same point of presence that you use. It is its job to protect its service from DoS attacks, to ensure that those who don't have a worm are able to use the service.
Therefore, when a worm outbreak borders upon DDoS, it is very likely in the ISPs' best interest to interfere with it. They should do so minimally, because their purpose in so doing is to minimize its effect on their business and responsible network operators -- not to Quixotically defend irresponsible network operators.
At different stages of an outbreak, and depending on the specific behavior of the worm, an ISP's best response may differ. For instance, if a tiny number of customer hosts are infected and are blasting huge amounts of traffic, the best response may simply be to remove them from the network, or block the relevant ports on the proximal router.
If they call and complain, the first-line technical support can read off a prepared statement, which (when boiled down) says basically this: "Your computer was being used for a Federal crime, breaking in to other people's computers. We shut down the network to protect our other customers from this criminal activity. It's possible your computer was infected by a virus that was being used to perpetrate this crime. Because of this possibility, we didn't call the FBI and report you as the source of the criminal activity. It's your responsibility to keep your computer from being used to hurt other people." They can then go on to offer, for a small fee, a CD of licensed antivirus and worm removal software -- or, for a larger fee, a visit from a technician who will run the same. Connectivity is not restored until the system is clean, whether by this means or any other.
In the case of a widespread outbreak, where more than 5-10% of the client systems are infected, it's probably more expedient to just block the ports on the core routers first. Then find a way of enumerating the infected systems and dealing with them, if it's deemed worthwhile.
Of course, any such measure should be announced. Exactly how to announce it I'm not sure, since many ISP users don't use an ISP mail account (and the ISP must not send spam), nor do they read the ISP's local newsgroup or visit the Web page.
In the case of a local ISP, the newspaper is always an option.
Re:A compromise position (Score:3, Insightful)
The other day, I was using my computer at work. While using my Mozilla browser on Linux, SBC redirected my browser to a web page declaring that my computer had been infected with the Blaster Worm.
It should be obvious to you already why this was simply rediculous.
I don't object to your i
Managed Services (Score:3, Insightful)
The problem, of course, is that most who really want a consumer-style connection won't go for it because they can't see any benefit to the added cost; becoming a worm or virus transmission vector annoys others but does not usually degrade the infected user's consumption experience and therefore managed firewall services don't make sense. The solution to this is an addendum to terms of service that stipulate that systems which are reasonably believed to be infected with a worm or virus and are adversely affecting networks as a result will be dropped from the network and no refunds will be given. Service will be restored only after a professional (partnership or more managed service opportunities here...) has inspected the system and found it clean of any such threats. Since this will be both annoying - unexpected service termination - and expensive - hourly fees for system checks won't be low - users will find this type of low-cost insurance valuable and useful. Probably enough so to pay an extra 3 or 4 bucks a month, surely enough for the ISP to make a nice profit as well.
What everyone ignores... (Score:5, Informative)
Re:What everyone ignores... (Score:3, Informative)
I doubt there's a router built in the last 3-5 years that can't block traffic at the port level without so much as a blip on it's cpu cycles. Fancier blocking (multiple conditional rulesets etc) _might_ hurt a particularly poorly designed router, but simply dropping a packet based on
Make it a default--overridable (Score:3, Informative)
Now if they didn't have this adjustment ability, I'd be moving elsewhere in a big hurry--but they give me the filters, default them to all on, and let me turn off what I want. I don't see why they can't do that with internet ports. Default to everything turned off, and then have a website that I could authenticate against, which would allow me to open ports. ACLs in FW1 should be able to accomplish this.
It's their service (Score:3, Interesting)
so they can do whatever they want.
C'mon, mod this down as a troll, just so you can prove my point.
translation: Must ISP's clean up after Microsoft? (Score:3, Troll)
Most certainly not (Score:3, Interesting)
But the first time my ISP limits what I can receive without giving me the option of turning it off will be the last time I use my ISP. Its not their place to determine what is "good" and what is "bad" for me, nor is it their duty to protect me from my own stupidity. Babies who need their hands held and cannot think for themselves can use AOL.
No, ISPs shouldn't filter ports (Score:3, Interesting)
The ISP is to the user what the backbone provider is to the ISP. The ISP should no more be filtering ports than the backbone provider should be filtering ports. If users not knowing what they're doing is becoming too much of a problem, or is putting other users at too much risk, then the ISP should be doing what we require for cars: users must prove a certain level of knowedge and ability to safely operate a computer/car before they're allowed on the Internet/road.
Unfortunately, this isn't an ideal world. Until people stop whining that, effectively, "Why do I have to know how to drive? I just want to go places in my car!", we may have to live with this.
Re:No, ISPs shouldn't filter ports (Score:3, Interesting)
Why not just make users pay for their bandwidth? This is the real reason ISPs block ports and ban "servers." If Joe Dumbass gets a bill for $200 because his computer is infected with the latest worm, then you'll see him start patching his computer and demanding his software vendors do something about security.
This is sooo simple (Score:3, Informative)
I really don't care about making the Internet safe for everyone. Next thing you know we'll be suing gun companies over homicides, I mean ISPs over cyber attacks.
Isn't the real issue here the fact that Windows has so many security flaws? Maybe Windows just isn't ready for the Internet. I run Solaris, Linux, and MacOS X, with the protection of a Solaris/IPFilter firewall at home and do you think I care about worms and viruses? Nope.
The only thing I could possibly suggest that the ISPs do is communicate a standard warning: "The surgeon general has determined that Windows can be hazordous to your computer while connected to the Internet." and leave it at that.
nevermind all this... (Score:4, Interesting)
In a word... (Score:3, Insightful)
I don't trust anyone but myself to filter what I want. Suppose a certain corporation that shall not be named were to lean on ISPs to block common p2p ports?
Suppose I were working at home as a security consultant and needed acess to all ports, including those used by virii?
The internet was originally designed with all the intellegence at the ends, and not at the center. This was done to prevent anything like this kind of behavior, where the people with the routers can control what you can access. If it were not for this forethought on behalf of the Internet founders, your ISP would control what you can access.
And that's what this could easily evolve into. You know the routine. You start with a little. Then they push it a little farther. And a little farther. And a little farther. Then the "internet" is nothing but a glorified TV station, feeding you the same junk in an interactive manner.
Obligatory BTTF quote: "Admittedly, that is a worst case scenario..."
The obvious problem (Score:5, Insightful)
If the approach is "opt-in", any new Internet service in the future is going to be DOA because Joe Clueless is going to download the new apps, find out "they don't work", and isn't going to contact his ISP where the problem is.
The other problem is that any ISP big enough to have a clueless "first line" help desk isn't going to be able to handle "please turn this port on" inquiries from Joe Clueless and will be even less able to handle them from anyone with a clue.
Do we have all the Internet services we're ever going to want?
Sacrificing future technological possibilities just to keep the current Net running properly isn't exactly the sort of thing we want if we want to do interesting and maybe profitable high-tech things.
Port 135 and the most commonly abused other ports there's a case for blocking by default.
No. (Score:3, Insightful)
Blocking ports will only cripple legitimate users of those services while the malicious attackers will find other vectors for attack.
You can keep blocking ports until everything is tunnelled over port 80 and content only flows 'one way', but we already have that - its called TV/Radio broadcasting.
If anything, ISPs should filter the users logging onto their systems - e.g. if the system logging on fails security tests, or exhibits virus-carrying behaviour, then outbound access is curtailed or disabled entirely.
Crippling the internet because Microsoft can't get their shit together is the dumbest thing i've heard this week.
Word of the Wise (Score:3, Insightful)
If the ISP blocks 25 then the spammer will have a buddy setup a box outside the network to accept on some random high port like 37337 and just go to town just like usual. All it serves to do is get in the way of legitimate users in a punish the many for the crimes of a few method.
Re:Word of the Wise (Score:3, Interesting)
A NZ telco provides self managed virtual firewalls (Score:5, Interesting)
NO!! (Score:4, Insightful)
And then the morons who make the majority of public opinion see the extra hoops Linux users would have to jump through to get their systems to work and think, Oh, my Windows box just works, so I guess it's better. (For example, if Windows sharing port numbers are allowed but NFS port numbers are not, then the general effect is that Windows filesharing works and Unix's does not. No amount of explaining will sway the public opinion on this. It's not based on reasoned thinking.)
And although I couched this in terms of Windows Vs Linux, the more general case is the real problem - it makes the decision of which technologies will live and which will die be entirely in the hands of the ISPs. It's the equivilent of your phone company saying "You can discuss your pets, your wife, and your kids over our phone lines, but you aren't allowed to talk about radios, televisions, or cable modems over our phone lines. And we'll be listening in and if you try to raise one of those subjects we'll cut your call off."
Slashdotters are not the "average" user (Score:3, Interesting)
Like it or not, the Internet no longer consists entirely of technically inclined people. We are outnumbered by folks who just want to read email and surf the web...and don't even know what SSH is.
The problem is that their ignorance affects the entire Internet community. If a few thousand people get infected with the latest worm and start DDoSing a server, or bogging down the mail relays, everyone is affected - even the technically inclined people who were smart enough not to get infected.
Your average user just wants an appliance, a tool they can use without too much effort. They don't know about ports, and don't want to. Honestly, they shouldn't have to know everything that we do - it isn't their problem. Just as I don't know everything that my Doctor does...they don't need to know everything that their ISP does.
For this average user, I think port blocking would be a godsend. Honestly, there really aren't all that many applications that require incoming connections to your home machine....most of the time it is outgoing. Shut down the ports, protect the "average" user, and then let those who know what they're doing open their ports back up.
yrs,
Ephemeriis
personal rulesets :- not feasable (Score:3, Insightful)
uhmm, apart from the slick web interface to ask the user what they want, has anyone thought about the poor sodding router that has to hold all these personalized rules?
even the big cisco PIX jobbies barf at the thousand rule mark. you'd have to go for a user-wide policy which would put off all the technically competent / meddlers.
it's just not going to work on this scale, I believe. the solution is to have operating systems and small domestic 'broadband routers' have default-deny policies, and lease the ISP (no matter what size they are) to shifting packets and answering DNS, like they're good at.
Ports are conventions (Score:4, Insightful)
Ports are conventions. We use certain ports for certain functions because we have agreed to . No other reason. We already see programs that don't belong on 80 using it because they need to get through firewalls. This would merely globalize the tendency, and eventually the entire usefullness of ports would be destroyed.
One can say that this is to protect the innocent, and feel good about things. But this will have as much decent result as most "protect the innocent" laws: None. And it, like most of those, will have significant negative downsides.
Nope. (Score:3, Insightful)
However, some corporate monkey heard the word "server" in relation to "mail server" and decided to block SMTP as well. This isn't outgoing SMTP (which might block some spammers), but incoming SMTP!
So, Charter has to waste disk space and resources storing my mail for half an hour, I have to jump through fetchmail hoops to pull it down every half hour, and MY sendmail has to go through ugly masquarading so I can still have working properly addressed mail inside my LAN, but have it get converted to THEIR email address outside since I have no way to point my domain's MX record at my mail server.
Long story, short point. Do you WANT this kind of corporate idiocy as the default for all ISP's? I think a far more reasonable policy is for ISP's to disconnect any customers who send out spam or virii, if they detect them. If the customer calls and asks why they were shut off, give them the answer... their machines are polluted and comprimising the security and operation of the network at large... they should clean them up or pay us $$$ to come do it for them.
Re:Should ISPs Be The Little Man's Firewall? (Score:2)
Re:Should ISPs Be The Little Man's Firewall? (Score:3, Insightful)
I'm sure a "professional level" ISP would cater to your need for flapping security holes by leaving all ports open by default, if that's what floats
Re:Should ISPs Be The Little Man's Firewall? (Score:5, Insightful)
You may *think* you know what users need. You're probably wrong, though.
Re:What about port 25? (Score:5, Insightful)
Blocking egress port 25 ought to be standard for all residential ISPs.
Why should an ISP block a customer from sending an e-mail message through his employer's SMTP server? Why should an ISP block a customer from sending an e-mail message through a subscription SMTP server?
Re:What about port 25? (Score:3, Insightful)
SMTPS should probably apply to your second question as well.
Re:What about port 25? (Score:5, Insightful)
I like being in charge of my own e-mail server. I don't send or receive a large amount of e-mail, and I'm on DSL so I'm online all the time. Sure, there are hosting companies that will give me full control of the server. They also cost way more per month than I'm interested in spending.
The last thing I need is some punk like you telling me "you don't need that port" and blocking port 25.
Nathan
Re:What about port 25? (Score:3, Insightful)
What the previous post said was 'almost NONE', so yes, we know that there are some people that do but the OVERWHELMING amount of users DONT.
You block it by default and you make it easy for the ones who know what theure doing to have access to it.
How freaking hard is that?
This is what we talk about with OS, you run it secure by default and for the 99.99999999% who barely know their mouse from the tv r
Re:What about port 25? (Score:3, Insightful)
How freaking hard is that?
You must be new to this planet. Welcome. On behalf of my species I would like to introduce you to a creature we have called "management". This is a subspecies similar to the "spider", yet instead of a silky web, it weaves a web of sticky red tape. This red tape is used to trap and devour people who thought it would be easy to convince an organization to make an exception.
Re:What about port 25? (Score:4, Insightful)
Consumer vs Business (Score:5, Insightful)
I guess you don't think we should serve http ports?
And no telnet/ssh either. Remote administration is the kind of thing a consumer doesn't need.
When I pay for my "consumer-level" DSL, I have some expectations that I'm willing to compromise on.
I know the tech-support people will not consider me a priority. I know if they have network problems, they will not work the extra mile to minimize my downtime. I know I cannot talk about "downtime" with them with a straight face, because they don't have those kinds of obligations.
I do expect, however, to be able to send and receive little packets of data every once in a while, at a certain speed, over whatever ports I want. I expect my paltry email packets to be dealt with equally with my fancy packets of video and audio (which certainly cost more bandwidth to my ISP, spam or no spam).
I do expect that my use is not restricted by "whatever is likely" other people need or do.
I agree with you that most users should have port 25 blocked. Actually, I think most BUSINESS users should have port 25 blocked too... a lot of small offices do not need, and do not have, their own email server but were happily sending emails through their business DSL lines due to SoBig.
Let BOTH kinds of users specifically remove that block. Force them to restrict it to a specific email server (or a list) if you want.
If they need it, whether it's a geek or a full IT department, it wouldn't be a problem because they know what they're doing.
But don't assume that a consumer never knows what he's doing, or that a business necessarily has a clue.
Re:Addiitional revenue! (Score:3, Insightful)
Re:Potential liability for offering filtering (Score:3, Interesting)
Re:Potential liability for offering filtering (Score:3, Funny)
Fat fucking chance of suing them for *anything*.
Support Guy : "Oh, I'm sorry, our routers forwarded the ping-of-death to your PC and erased it's drive with all your data? That's a shame, because you *know* that our TOS states that we are *not* responsible for anything that we do. In fact, paragraph 134 explicitly states that we're *allowed* to screw over your computer as many times as we feel necessary, without notice. Thanks, and have a nice day! *click*"
Re:Why don't the modems (cable/dsl) firewall? (Score:3, Insightful)