Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security The Internet

Should ISPs Be The Little Man's Firewall? 790

Anonymous Coward writes "In a paper published today, the point is made that ISPs should filter some ports (e.g. 135) for good. I guess given what everyone sees hitting their various firewalls these days, this may make sense. But wasn't the Internet supposed to be 'open' at one point? Or are we to the point where Internet=Web (and maybe AIM). The author of the paper is operating DShield and I guess has some insight into this issue. He made the same points before on various mailing lists."
This discussion has been archived. No new comments can be posted.

Should ISPs Be The Little Man's Firewall?

Comments Filter:
  • by still_sick ( 585332 ) on Sunday September 07, 2003 @07:26PM (#6896121)
    And not something you get by default and then have to opt-out of - something you get offered and must opt-into. I don't care if port X of all the clueless people's machines get abused, if I want to use port X, I'm going to.
    • by GreyPoopon ( 411036 ) <gpoopon@gm[ ].com ['ail' in gap]> on Sunday September 07, 2003 @07:33PM (#6896165)
      And not something you get by default and then have to opt-out of - something you get offered and must opt-into. I don't care if port X of all the clueless people's machines get abused, if I want to use port X, I'm going to.

      I'm not sure if I agree with myself, but shouldn't it be opt-in by default, and presumably the people with a clue will know how to opt out? After all, the clueless in the world won't even figure out that they SHOULD opt in. Since the infected machines of the clueless mess up the internet experience for pretty much everyone, this makes sense to me. Of course, there should be some prominent notification so that those of us who know what we are doing can opt-out if we so choose.

      • by lafiel ( 667810 ) on Sunday September 07, 2003 @08:00PM (#6896363) Homepage
        but shouldn't it be opt-in by default

        You're absolutely correct. Just look at the way email filtering works. Spam filters are (by default) turned on, so this could follow suit. You can always opt-out of this service, and get the full email-experience. But you don't see mass complaints about how our email rights are being restricted by the ISP.

        And of course, you can opt-out of email filtering. So is port blocking really such a big deal? Just opt-out and make sure it doesn't cost any extra. Hell, filtering from my previous ISP actually costs more. Make port blocking a "feature" of the ISP, charge a buck or more, and save the commoner from having to learn about updating computer systems. Win-win.

      • by perlchild ( 582235 ) on Sunday September 07, 2003 @08:05PM (#6896395)
        Err can we get clarify this
        If everyone is subscribed by default, it's out-out.
        Opt-in means you don't have it until you ask.
        The word you mean is opt, not opt-in, not opt-out. You opt to get the service in opt-int. And you opt out of the service, in opt-out.
        Spam right now is "opt-out" you get it until you sue the spammer. Software development mailing lists are opt-in, you have to confirm you want it, before they give it to you.

        And another thing, knowing the profit margins of local isps, don't expect firewalling to be free, that's kinda good, if they make it an "option" say 1-2$/month/ip protected. That would make some larger providers happy too, they want you to pay more the more machines you have. (Nat of course, covers that, but that is a firewall function, isn't it?
    • by Anonymous Coward on Sunday September 07, 2003 @07:36PM (#6896177)
      Agreed. I left my old ISP (a small regional one in country queensland, australia) because they kept blocking ports bit by bit, based on traffic. If I started using ssh heavily, they'd block it "in case it was abuse" to try protecting me, and I'd need to call them to get the block removed. Wouldn't matter what the protocol, one by one more and more were closed.

      The only ones that weren't regularly blocked like that were web ftp and mail to their servers.

      As soon as one of the larger ISPs started operating here I switched over, and the dodgy blocking one had a huge sob story in the local paper about small businesses being forced out by large corporations. More like small businesses who have no clue what users want.
    • For us, that may be the best idea. But the majority of computer users are not savvy enough to keep up with keeping their firewalls up to date. At most, they'll install ZoneAlarm.

      My university not only blocks certain ports from the internet, such as the dcom ports, but also blocks them across subnets so it even keeps worms from spreading across our network. Is this useful? Absolutely. On the other hand, last year they tried to block IRC traffic by simply blocking port 6667. They wound up lifting the ban af
    • by chill ( 34294 ) on Sunday September 07, 2003 @07:39PM (#6896203) Journal
      I disagree. It should be OPT-OUT. The idea is to protect the clueless, and the rest of the net FROM the clueless.

      If you know anything about opening a port, then you are ahead of 99% of those connected, and know what you are doing. Thus, you can opt out.

      This wouldn't prevent you from using blocked ports.

      It would be, by far, less of an inconvenience that the shit that goes on now with everything wide open.
      • by 1lus10n ( 586635 ) on Sunday September 07, 2003 @08:08PM (#6896417) Journal
        i disagree.

        if you set it up so that everyone is behind a big firewall in the sky (which is what this would be) then what you end up with is ISP's saying "why do you want to opt-out" Or that you can't opt-out at all and you get stuck with their shitty firewall rules. you might also run into a problem where they will put you on this shitty little subnet with slower speeds/connection issues if you do opt out.

        by saying it should be opt-out (in by default) then you put more power into the ISP's hands. and im sorry i already have enough issues with my ISP, the last thing i want to see is Time warner blocking port 53 incoming, or some other such cruft. (*cough* blocking msn *cough*)
        • I agree that ISP-level port blocking should be purely opt-in, thus:

          Every time a new user signs up, they should be offered a free port-blocking service, with a list of ports and what they're used for that is worded so anyone can figure it out.

          Would it be feasible to set this up so the user can check off those ports they want blocked? or at least offer a "common ports to block" and have them use a different access point depending on their desired setup? I'd think the paranoid would be willing to pay a buck
    • by RodgerDodger ( 575834 ) on Sunday September 07, 2003 @07:45PM (#6896251)
      No.

      Just like an operating system, a connection service should be "secure by default".

      99% of the users in this world have no need for open ports. When they do, they can mostly accept that opening those ports poses risks, and they can be educated on the risks.

      (Now, if an ISP was to charge you more for opening those ports, that would be different; a one-off administration fee, maybe, but that's it)
      • by irc.goatse.cx troll ( 593289 ) on Sunday September 07, 2003 @08:05PM (#6896391) Journal
        Thats not security, thats removing a feature. If you want 'secure by default' try filtering out all connections from windows machines -- Thats also secure by removing features, just a greater extent.
        Filtering ports is just another step to the path of 'ISP' meaning direct connection to the email they want you to see, the webpages their proxy allows, and the IM they want you to have. I'd much rather they just provide the service and let whats done with it be up to the users.

        As for fixing the 'current state' -- Let users control firewall rules concerning their line. If someones being packeted with syns from random source with a static dest port of 113, they should be able to make their isp drop all of them.

        People dont realise that when an isp filters a port, its NOT optional. You can call and complain all you like, good luck even finding someone that understands what you're complaining about let alone having it enabled for you.
      • by gclef ( 96311 ) on Sunday September 07, 2003 @08:22PM (#6896490)
        Okay, so you're telling me that 99% of the users in the world have no need for p2p, some online chat features, online games, and a few other things I'm too lazy to look up? (all of these require incoming ports to be opened on the client, in case it wasn't obvious.)

        As they say on the mailing lists: I encourage my competitors to run their networks this way.
      • 99% of the users in this world have no need for open ports.

        Damned straight! 99% or the users in this world should have ALL ports closed, inbound *and* outbound. Get them lusers offa my Internet. I'm willing to let them have a NATed IP address, but them open ports gotta go. Especially port 25. And 80. I might let 'em keep 21, but NO 20, and no PASV crap, either [cackles maniacally].

    • Options are good. (Score:5, Insightful)

      by Daniel_Staal ( 609844 ) <DStaal@usa.net> on Sunday September 07, 2003 @07:48PM (#6896277)
      Actually, there is probably a better way yet: An ISP can block it's ports if it wants to, but it must tell it's users, and there needs to be at least two different ISPs in any market.

      Some ISPs could advertise that they block $a, $b, and $c, as a security measure. If the customer doesn't want to think about security, they go with those ISPs. Others could advertise they allow access to the entire net. I would sign up for that, and do my own security.

      Of course, for this to work there actually needs to be competition in the ISP realm. Not a given at the moment.
      • Re:Options are good. (Score:4, Interesting)

        by dnoyeb ( 547705 ) on Sunday September 07, 2003 @08:30PM (#6896519) Homepage Journal
        First, most of my ports are being hit by my ISP.

        Second, inevitably ISPs will claim it cost them to open up the rest of the ports, and you WILL get charged for it...

        Third, cold day in hell when broadband is competitive to a majority of people in the USA.

        I have 2 windows boxes and have yet to get infected. The way I see it, those that get infected eventually die off... Leaving only the fittest of boxen.
    • Why not make Operating Systems block all ports as default? This isnt a network issue its an application issue.
  • by Beatbyte ( 163694 ) on Sunday September 07, 2003 @07:26PM (#6896124) Homepage
    relies on me to find the latest virii/worms that are going to pound the bandwidth, get their port numbers, and setup ACL's accordingly. Not only do the customers like it, it gives us more time to patch our hundreds of machines, and decreases our incoming bandwidth.

    Overall, I help stop another hundred thousand or so Win32 users from pounding the net to death. I don't see how anyone could see this as a bad thing. (welcome input)
    • a bad thing (Score:3, Insightful)

      I don't see how anyone could see this as a bad thing. (welcome input)

      Then you (as well as your employers) are very short sighted. I could well be using those ports. Many software programs that dynamically allocate ports likely will use some ports you block, and users applications will just fail "randomly". And, of course, your tech support people will deny all knowledge of it. Or, in the case of well known ports such as port 135 mentioned in the original posting, I've actually used port 135 to share ent

      • Re:a bad thing (Score:5, Insightful)

        by Lord Kholdan ( 670731 ) on Sunday September 07, 2003 @08:12PM (#6896442)
        Then you (as well as your employers) are very short sighted. I could well be using those ports. Many software programs that dynamically allocate ports likely will use some ports you block, and users applications will just fail "randomly". And, of course, your tech support people will deny all knowledge of it. Or, in the case of well known ports such as port 135 mentioned in the original posting, I've actually used port 135 to share entire windows directory structures across the Internet (between a system in Indiana and one in North Carolina). It was slick and very handy, although too few understand how cleanly (and safely) this can be set up and made to work. How can slashdot readers really advocate ISPs blocking the utility of the service we buy because some people who also buy it are too lazy to learn to use it properly?

        And how can you demand people to learn computer security if you think it's excessive to require you to opt-out from the isp firewall?
      • Re:a bad thing (Score:5, Insightful)

        by bradasch ( 516015 ) <guimas@@@gmail...com> on Sunday September 07, 2003 @08:14PM (#6896453)
        I'm sorry, but you're the one being short-sighted. You obviuosly know what you're talking about when you say you need port 135 open, etc. Now think about users without any knowledge about these things. Think, for instance, a high-school teacher acessing the internet from his house. Why the hell would this person need access to port X Y or Z?

        As many have mentioned here, these services should be requested by people who understand what they're doing. For the rest, it just doesn't matter.
      • Re:a bad thing (Score:5, Informative)

        by oolon ( 43347 ) on Sunday September 07, 2003 @08:31PM (#6896527)
        Some people like my dad just want to use the internet, and they don't care how it works, they pay money for an ISP and they expect them to make it work.

        James
      • Re:a bad thing (Score:4, Insightful)

        by Beatbyte ( 163694 ) on Sunday September 07, 2003 @09:17PM (#6896760) Homepage
        Ever heard of tunneling? if you're setting up networks like that, you should use VPN or similar.
    • Overall, I help stop another hundred thousand or so Win32 users from pounding the net to death. I don't see how anyone could see this as a bad thing. (welcome input)

      I would like my ISP to provide firewall services, but not in such an automated manner. Or, rather there should be a web interface like my ISP has for reverse-dns. There should be a checkbox for unfiltered, for autofiltering by ISP with or without notification of filter rule changes, and some way to block/unblock common things yourself by name
  • absolutley not... (Score:4, Insightful)

    by z-kungfu ( 255628 ) on Sunday September 07, 2003 @07:27PM (#6896126)
    I don't want them filtering anything for me thank you. I can take care of myself. Next thing they'll be stripping attachments off of email and blocking content. Let internet Darwinism take it's course, only the strong will survive,a nd when all these people get tired of the insecure crap that windows is, maybe, just maybe they'll vote with their dollars to not support MS anymore.
    • Re:absolutley not... (Score:5, Informative)

      by ralphus ( 577885 ) on Sunday September 07, 2003 @08:18PM (#6896473)
      The problem with your argument is that it doesn't apply in this environment. The general public will use one OS, windows. The general public won't give a damn about securing their system. The general public will have unsecured systems. The general public is therefore a large scale problem that will make possible to exploit a large number of systems with common vulnerabilities and once they start doing damage, they can have a large scale detremential effect on the net as a whole, even to those who have protected their machines against the vulnerabilities.

      Case in point: I was not affected at all by Sobig.F directly, however I did see my mail gateways come under incredible load, my IDS's fill DB's with Sobig warnings, my users encounter endless confusion at bouncebacks from dumb virus scanners that claim we are infected since Sobig is a SMTP forger. Sobig wasted a lot of my resources and time even though it didn't infect a single one of my 1700+ users. It was rather benign though, I'm afraid of what comes next [blanu.net].

      • by Arker ( 91948 )

        But the general public is not quite so stupid as you make them out to be either. After these folks get hit once, the start to care. They can fix the problem quite simply, with a $50 hardware firewall/nat router they should probably have anyway, or a free software firewall like Kerio. All the ISPs really need to do is a little education.

        • by ralphus ( 577885 ) on Sunday September 07, 2003 @09:01PM (#6896684)
          I'm not saying they are stupid. They just aren't informed and probably don't care to be like I do. That isn't a bad thing. Some want a Turing machine, others want an appliance. For example I'm not stupid but I have no idea, and I don't care to have an idea, on how to write a contract that will stand up in court so I have to get a proxy to do it for me who is a ABA certified expert.

          I do know that I can find the proxy in this case, and how to find them. Still I think, getting a firewall and plugging it in or installing it can be a difficult concept for the general computing public to get today. I hope that changes, and I think it *is* changing for the better.

  • by Plix ( 204304 ) on Sunday September 07, 2003 @07:27PM (#6896129) Homepage
    While I agree with the point I think that power users should be allowed to call up the ISP (maybe even at initial sign-up) and be allowed to request that the ports remain unblocked. Otherwise, the internet *will* become just the web and AIM for everyone if they like it or not.
    • by zwoelfk ( 586211 ) on Sunday September 07, 2003 @07:44PM (#6896244) Journal
      While I agree with the point I think that power users should be allowed to call up the ISP (maybe even at initial sign-up) and be allowed to request that the ports remain unblocked. Otherwise, the internet *will* become just the web and AIM for everyone if they like it or not.

      Well, what's going to happen is: The ISPs will eventually block most ports, "'cause most users don't need 'em." and that'll help some people. "Power users" will be able to pay an extra fee to get the ports unblocked - a "setup" or "administration" fee. Probably even a per-month fee, so they can /really/ get some extra cash. And those people with residential ISPs (e.g. DSL) will be SOL because arguing with the phone company about what ports are blocked will be totally ineffective -- and since they typically have a monopoly on the lines, there's not much you can do. Remember when shell access was standard? Same deal.

      This will suck for a while. Especially when they block port 22 at first, because they forgot about SSH. Then eventually most things will be re-written to tunnel through port 80, making everything more complicated (multiple servers switching on the same port). And of course, the worms will follow.

      The point is, there is a reason these ports exist in the first place -- they allow some flexibility and simplify communications. What they're really saying is "We don't like the way the internet is designed. So we're going to break it. Sucks to be you."

      Z.
    • by billstewart ( 78916 ) on Monday September 08, 2003 @01:51AM (#6897804) Journal
      I agree that blocking should normally be an optional thing, and unfortunately the default should probably be to block lots of things, because there are too many insecure applications and operating systems out there. The question is *where* to do the blocking. For a dialup system, it's obvious that you should probably implement the blocking at the ISP end, but for a dedicated connection (cable, DSL, private line, business T1, etc.), you've got a choice of whether to block it at the ISP's end or at the router on the user's end (whether it's provided by the user or the ISP). From a scalability standpoint, it's much easier to do the blocking on the user end - that also can work well if you want to let the user turn the blocking on and off - almost all of those devices have enough horsepower to do the job, and routers from certain large router vendors *don't* have the horsepower to do it for lots of users (and if they did, ISPs would make the tradeoff of putting more users on each box.)

      There are some exceptions, though - if you're getting a high-volume flood of some sort (DDOS attacks, Slammer worms, ping floods, etc.), it's nice to be able to turn it off at the ISP's end of the wire, because that prevents your bandwidth from getting stepped on by the attackers, while otherwise you might be unable to get any effective work done because 99% of your bandwidth is the attack.

  • I know for certain that MSN does. I had a friend who found he was unable to use a work SMTP relay and had to resort to using the MSN relay.

    As for me, I use Qwest and have found that they will not allow me to keep an open TCP session, meaning my SSH sessions constantly stall.

    Calling tech support resulted in an entertaining conversation during which the support guy insisted that if I could "browse my webs" everything was working.

    Oh well, time to change ISPs...
  • Optimum Online already blocks 135, which is OK. But after Code Red, they also started blocking port 80, which sucks.

    Though I really want to blame all the morons with unpatched IIS servers, there's this little voice in my head that's telling me that Optimum Online was more than happy to prevent those of us that don't want to pay $100+ for "business accounts" from running web servers.

    By the way, a friend of mine in Houston told me his cable provider keeps all its users behind a NAT - no incoming connecti

  • I'm in the middle. (Score:5, Insightful)

    by Thomas M Hughes ( 463951 ) on Sunday September 07, 2003 @07:30PM (#6896143)
    If my ISP gave me a slick web interface that allowed me to open or block ports specific to when I connect, I'd be all for it. Set the defaults to block things, to protect against worms and the like, but if I want those ports open to do something, it should be easy for me to open them. I think that's the perfect middle ground. People who don't know (or care) will be protected. Those who care can easily do whatever they want. The ISP just has to make it clear where the options are.
    • by Bodrius ( 191265 ) on Sunday September 07, 2003 @08:11PM (#6896436) Homepage
      I had opened the article specifically to make this same comment.

      Just like self-administered hosting services have successfully provided "servers for the little man" through virtual hosts and web configuration interfaces, ISPs could provide security for the average joe.

      Integrate the UI well with your webmail (spam-filtering, etc) and other services, and your ISP portal can actually be more useful than as a bandwidth test.

  • Absolutely (Score:5, Interesting)

    by nickd ( 58841 ) on Sunday September 07, 2003 @07:31PM (#6896152)
    This is another case of where techies do not think about things from the customers point of view. Of course most slashdotters will want their ports open - the customers on the other hand dont know what a firewall is, what the implications of their ports are etc - quite frankly they shouldnt need to.

    Filter by default - if you need your ports or you want to do your own firewalling then get the "advanced user" account that costs less but requires more responsibility from the user.

    If anything this is just an opportunity for ISP's to make another value added service to sell.
    • Re:Absolutely (Score:3, Insightful)

      by groomed ( 202061 )
      Filter by default - if you need your ports or you want to do your own firewalling then get the "advanced user" account that costs less but requires more responsibility from the user.

      No, you've got it entirely backwards.

      It's the "family" account that will cost less. The "family" account will include traffic filtering and it will come with a service charge for every webpage viewed and every email sent. Traffic filtering will ensure that that your Internet activity will remain limited to the viewing of webp
    • The problem (Score:3, Insightful)

      by Sycraft-fu ( 314770 )
      Is that the "advanced user account" would probably end up costing MORE, not less. I think that you'd mostly find 3 situations:

      1) ISP blocks ports/services/etc and won't unblock them. Claim it is for securtiy, etc and just won't do it any other way. We had this problem with Cox. They disallowed any VPNs on their normal cable accounts. Our university uses VPNs extensively. It came down to us explaning to them that we would recommend people go with a different provider if they didn't change the rules. Of cour
  • a great idea imo (Score:2, Interesting)

    by Dreadlord ( 671979 )
    with the Internet being so much popular these days, I think that filtering some ports can save a lot of hassle, many people use the Internet just to browse the web, read email and chat, so why not?
    On the other hand, ISPs may add an option to get an advanced connection, in which all the ports are open.
    my 0.02$
  • A problem? (Score:5, Insightful)

    by Absurd Being ( 632190 ) on Sunday September 07, 2003 @07:33PM (#6896164) Journal
    Blocking all other ports will just mean worms and virii will have a permanent effect. Each wave of them will kill off a port. When we run out of ports (because something will be written for each one) then the internet must shut down. Some redundant system.
  • by salesgeek ( 263995 ) on Sunday September 07, 2003 @07:36PM (#6896184) Homepage
    The problem isn't ports - it's the applications that use the ports.

  • by FreeLinux ( 555387 ) on Sunday September 07, 2003 @07:39PM (#6896205)
    I am paying for raw internet bandwidth and that is what I expect to get. I will not tollerate any filtering or restrictions on the use of my account.

    Any ISP that mandates filtering should also provide significant discounts to their customers as they are no longer providing a full raw feed. Of course, this will never happen as the filtering will increase the ISPs operating cost so the end result will be less service at a higher price.

    Block my ports and I move to another ISP. If enough ISPs start blocking ports to the point that I can no longer find one that meets my needs, then I will open my own again because the demand for the small ISP will be back.
    • by Jetson ( 176002 ) on Sunday September 07, 2003 @09:44PM (#6896892) Homepage
      I am paying for raw internet bandwidth and that is what I expect to get. I will not tollerate any filtering or restrictions on the use of my account.

      And yet the most common complaint I hear from people is how they paid for lots of bandwidth but they're always the victim of lag and dropped packets. Blocking ports 135-139 would eliminate a substantial amount of the background "noise" that's taking a bite out of your bandwidth.

      If someone *needs* to share 135-139 over a public network then they should be using a VPN anyway.

  • No... (Score:5, Insightful)

    by shri ( 17709 ) <shriramc@@@gmail...com> on Sunday September 07, 2003 @07:41PM (#6896218) Homepage
    It will give lusers a false sense of security. I happen to travel with my notebook and one of the worst places where I get hit by viruses is not my home ISP or work, but hotel broadband connections in Asia.

    If my ISP was protecting me, I would be complacent and I can see myself not updating the scanners / firewall on my notebook and getting hit the next time I went on the road.

    The next issue is liability. If an ISP claims to protect and a luser gets infected, they're going to sue (atleast in a north American situation).
  • by Kjella ( 173770 ) on Sunday September 07, 2003 @07:46PM (#6896262) Homepage
    ...but I suppose when TCP/IP was created, noone thought of the Internet as today. There should have been a section of ports dedicated to "LAN software", which by common agreement would be dropped by ISPs.

    It would keep a lot of services that aren't supposed to go outside the home where they belong, and if you didn't want that, you could put the service on a "public" port. What is happening now is basicly patchwork by individual ISPs, blocking ports but with little coordination.

    I want to have a free Internet where you can use any port you want. But there are also quite a few services that shouldn't be accessible from the Internet too, customer-side firewall or not. Latest and greatest is the Messenger service SPAM. Why would such a service be open to the world? But there's no "private" port you can put it on where only LAN requests come through. Not unless you do IP filtering, but wouldn't it be just as easy to have some port range that you simply know won't be sent to/recieved from by your ISP?

    Kjella
  • Question (Score:4, Insightful)

    by ciroknight ( 601098 ) on Sunday September 07, 2003 @07:51PM (#6896297)
    If we effectively kill off every port on the internet.. what is the point of having the TCP layer protocol? And if we killed it, wouldn't a lot of devices simply stop working? So I ask.. WHY!?

    Personally, I love the idea of having ports. It allows a lot of intrasystem communication, even if it isn't the best way of doing it, and it allows many many services to run on one machine. hell, without TCP, we wouldnt have IMAP or POP3 or SMTP etc.. (unless someone did them from a web front, sorta like yahoo, but then it's the same thing on their end....) Somewhere down the line, people have gotta realize, fixing the problem doesn't mean you have to break something else in the first place. ISP's need to let the users deal with viruses, even if they are 100% computer illiterate. Maybe they should offer a service where they will patch your system for a price, instead of simply blocking a port that someone may have been using constructively. This really outrages me, because Adelphia, my Cable provider, has killed so many ports due to virus outbreakes (Codered killed 80, MSBlaster killed 135, 139, 4444, and a bunch of UDP ports), ports that I would have liked to use (port 80 mainly). I have to redirect to 8080, and not many people will know how to do that. Please people, think before doing something so drastic as cutting off all the ports... There are much better solutions.
  • Slippery Slope (Score:3, Interesting)

    by Lord_Dweomer ( 648696 ) on Sunday September 07, 2003 @07:52PM (#6896309) Homepage
    While I think something like this may be useful if it defaulted to opt-in with ability to opt-out, I am scared of the possibility of a slippery slope.

    Sure this starts out helping the net in general and preventing everything from going to hell when the next virus comes out.....but what if the RIAA after some successful lawmaking decides that whatever ports Kazaa is running on are bad/illegal and must be blocked? Or what if program X runs on port Y and whatever group doesn't like it decides to block it? Obviously there are other ways around it....but not everybody knows those. Maybe I'm just being paranoid....but with some of the things that have happened lately, who's to say.

  • Some thoughts.... (Score:5, Insightful)

    by Sevn ( 12012 ) on Sunday September 07, 2003 @07:54PM (#6896327) Homepage Journal
    I spend from 10pm last night til 4am on a conference with the worst bandwidth provider in arlington texas because one of my clients was getting his one of his T1 lines bombarded by a ddos attack. The concept of dropping non-source routed packets was foreign to them. I guess the point I'm getting to is, there are some things the guy on the other end of the T1 line can not do for himself. Even if he had the best bridging packet filter in the world between his T1 and his machines, the pipe would still be screwed at the router above him. So yeah, you bet your ass the provider needs to step in when things are happening at their level. And if they are selling T1 lines to people, they should have the kind of talent in place and IDS systems in place to detect attacks and crap of this nature and do something about it.
  • by lewp ( 95638 ) on Sunday September 07, 2003 @07:56PM (#6896341) Journal
    1. ISPs start blocking ports
    2. All software uses port 80
    3. ISPs start using more complex and intrusive filtering that blocks everything that doesn't look like MSIE
    4. The internet is officially shit
    I can't fucking wait.
  • by GammaTau ( 636807 ) <jni@iki.fi> on Sunday September 07, 2003 @07:57PM (#6896347) Homepage Journal

    Well, I guess the underlying assumption here is that the software using the ports 135, 137, 139, and 445 is broken beyond repair either from the security perspective or then the software is very hard to configure properly (because it seems people accidentally misconfigure it to be open to the entire Internet). Either way, the suggested measure would be an unnecessary limit of free communication for no other reason than a common implementation of certain protocols.

    If it is possible for clueless users to accidentally run software that puts their computers at great risk, then I say there is a serious usability problem here. If the software implementation and/or protocols itself are insecure, providing a better implementation/protocol is a step towards better future. Trying to shift the responsibility to ISPs isn't the way to go.

  • by wtom ( 619054 ) on Sunday September 07, 2003 @08:22PM (#6896491)
    It should be up to users to protect themselves, or it should be an OPT-IN value-added service provided by the ISP, even if it costs extra.

    I pay for bandwidth, plain and simple. I want every port open for whatever use I so desire, with no blockage from the ISP period.

    Some morons at certain ISPs recently decided to block all pings, period, on their broadband networks. I run a small computer consulting business, one of my specialties is ipsec-connected subnet-to-subnet VPNs for small businesses with dynamic IP broadband connections. The scripts that make all this work depend(ed) on being able to ping various places to determine if the internet was up, if the peer host was up, and if the tunnel was up.

    Since someone didn't RTFM on stateful packet filtering, and figure out how to safely allow ping traffic while blocking DDOS attacks, all my scripts broke (well, among those home users using those certain ISPs that connected into the office). Who in the seven hells ever thought an ISP would block ping!!! I can see a popular website doing it, but an ISP?!? Across their entire network?!?!? Baka!

    Anyway, I had to quickly rewrite the scripts to pull entire webpages down to test connectivity, and dump them into the bit bucket, instead of nice, tiny little ping packets. (Let's see 'em block http) Wastes bandwidth, and less elegant too! wheee!

    Cookie-cutter broadband ISPs without the technical knowledge to properly configure their routers are NOT people who I want determining what ports/protocols I can and can't use. I pay for bandwidth. Leave my ports alone!
  • by FsG ( 648587 ) on Sunday September 07, 2003 @08:23PM (#6896494)
    Why not take this a step further by blocking anything that the user did not request in a NAT-like fashion? Broadband router users have been enjoying the security that this provides for ages, and I see no reason why everyone else shouldn't, too.

    Security-wise, this would block many worms (both present and future) because they would simply be unable to connect to any system. Besides that, it would also block backdoor trojans like NetBus and BackOrfice because, although they'd still be listening, no one would be able to connect to them and control the user's system.

    To address the NAT-type problems that this would create, ISPs could automatically make certain exceptions for port blocks that interfere with popular games and whatnot. For advanced users, there would be a control panel (much like those built into NAT firewalls) where they could unblock any or all of the ports.
  • by Frater 219 ( 1455 ) on Sunday September 07, 2003 @08:25PM (#6896503) Journal
    It is not the ISP's job to protect you from the insecurity of the software that you choose to run on your connection. Therefore, the ISP should not block ports (or take other steps) for the purpose of protecting you from worms, viruses, or crackers -- unless you contract with them for that purpose.

    However, it is the ISP's job to maintain service quality for the other thousand people served by the same point of presence that you use. It is its job to protect its service from DoS attacks, to ensure that those who don't have a worm are able to use the service.

    Therefore, when a worm outbreak borders upon DDoS, it is very likely in the ISPs' best interest to interfere with it. They should do so minimally, because their purpose in so doing is to minimize its effect on their business and responsible network operators -- not to Quixotically defend irresponsible network operators.


    At different stages of an outbreak, and depending on the specific behavior of the worm, an ISP's best response may differ. For instance, if a tiny number of customer hosts are infected and are blasting huge amounts of traffic, the best response may simply be to remove them from the network, or block the relevant ports on the proximal router.

    If they call and complain, the first-line technical support can read off a prepared statement, which (when boiled down) says basically this: "Your computer was being used for a Federal crime, breaking in to other people's computers. We shut down the network to protect our other customers from this criminal activity. It's possible your computer was infected by a virus that was being used to perpetrate this crime. Because of this possibility, we didn't call the FBI and report you as the source of the criminal activity. It's your responsibility to keep your computer from being used to hurt other people." They can then go on to offer, for a small fee, a CD of licensed antivirus and worm removal software -- or, for a larger fee, a visit from a technician who will run the same. Connectivity is not restored until the system is clean, whether by this means or any other.

    In the case of a widespread outbreak, where more than 5-10% of the client systems are infected, it's probably more expedient to just block the ports on the core routers first. Then find a way of enumerating the infected systems and dealing with them, if it's deemed worthwhile.


    Of course, any such measure should be announced. Exactly how to announce it I'm not sure, since many ISP users don't use an ISP mail account (and the ISP must not send spam), nor do they read the ISP's local newsgroup or visit the Web page.

    In the case of a local ISP, the newspaper is always an option.

    • For instance, if a tiny number of customer hosts are infected and are blasting huge amounts of traffic, the best response may simply be to remove them from the network, or block the relevant ports on the proximal router.

      The other day, I was using my computer at work. While using my Mozilla browser on Linux, SBC redirected my browser to a web page declaring that my computer had been infected with the Blaster Worm.

      It should be obvious to you already why this was simply rediculous.

      I don't object to your i
  • Managed Services (Score:3, Insightful)

    by The Man ( 684 ) on Sunday September 07, 2003 @08:29PM (#6896518) Homepage
    This should be offered as an optional add-on service. It's often done in the business world, and it's called managed services. You might pay your provider to firewall for you, to manage traffic, to balance loads, to provide switching or routing, and other services. Firewalling is a type of service I might well want my ISP to provide, so long as it's under my control. This could reduce the investment I might need to make in hardware (routers, firewalls) or software (so-called "personal" firewalls, cleanup tools) and thus be a good value.

    The problem, of course, is that most who really want a consumer-style connection won't go for it because they can't see any benefit to the added cost; becoming a worm or virus transmission vector annoys others but does not usually degrade the infected user's consumption experience and therefore managed firewall services don't make sense. The solution to this is an addendum to terms of service that stipulate that systems which are reasonably believed to be infected with a worm or virus and are adversely affecting networks as a result will be dropped from the network and no refunds will be given. Service will be restored only after a professional (partnership or more managed service opportunities here...) has inspected the system and found it clean of any such threats. Since this will be both annoying - unexpected service termination - and expensive - hourly fees for system checks won't be low - users will find this type of low-cost insurance valuable and useful. Probably enough so to pay an extra 3 or 4 bucks a month, surely enough for the ISP to make a nice profit as well.

  • by whoever57 ( 658626 ) on Sunday September 07, 2003 @09:13PM (#6896739) Journal
    is that it costs real money to block ports. ISPs have big routers and the cpu cycles of those routers are expensive. Blocking ports takes additonal cpu cycles, so ISPs need to have a strong business reason to start blocking.
    • is that it costs real money to block ports. ISPs have big routers and the cpu cycles of those routers are expensive. Blocking ports takes additonal cpu cycles, so ISPs need to have a strong business reason to start blocking.

      I doubt there's a router built in the last 3-5 years that can't block traffic at the port level without so much as a blip on it's cpu cycles. Fancier blocking (multiple conditional rulesets etc) _might_ hurt a particularly poorly designed router, but simply dropping a packet based on

  • by swordgeek ( 112599 ) on Sunday September 07, 2003 @09:15PM (#6896747) Journal
    My ISP has spam filters. If you log into their webmail client, you can turn on or off the various rulesets, or tune them at will.

    Now if they didn't have this adjustment ability, I'd be moving elsewhere in a big hurry--but they give me the filters, default them to all on, and let me turn off what I want. I don't see why they can't do that with internet ports. Default to everything turned off, and then have a website that I could authenticate against, which would allow me to open ports. ACLs in FW1 should be able to accomplish this.
  • It's their service (Score:3, Interesting)

    by anthony_dipierro ( 543308 ) on Sunday September 07, 2003 @09:15PM (#6896750) Journal

    so they can do whatever they want.

    C'mon, mod this down as a troll, just so you can prove my point.

  • by phr1 ( 211689 ) on Sunday September 07, 2003 @09:16PM (#6896755)
    Those port blockages (except for maybe 25) are workarounds for ridiculous MSFT security bugs. The proposal is that ISP's install blocks to work around the bugs. Shouldn't MSFT clean up its own mess?
  • Most certainly not (Score:3, Interesting)

    by davmoo ( 63521 ) on Sunday September 07, 2003 @09:29PM (#6896817)
    If my ISP wants to filter things such that I cannot run a server from my house, that is okay. I can live with that, since I'm buying residential service and not business access. Uploading is throttled down to 64kbs anyway (I'm on a cable modem), so it would make a shitty server point anyway.

    But the first time my ISP limits what I can receive without giving me the option of turning it off will be the last time I use my ISP. Its not their place to determine what is "good" and what is "bad" for me, nor is it their duty to protect me from my own stupidity. Babies who need their hands held and cannot think for themselves can use AOL.
  • by Todd Knarr ( 15451 ) on Sunday September 07, 2003 @10:02PM (#6896993) Homepage

    The ISP is to the user what the backbone provider is to the ISP. The ISP should no more be filtering ports than the backbone provider should be filtering ports. If users not knowing what they're doing is becoming too much of a problem, or is putting other users at too much risk, then the ISP should be doing what we require for cars: users must prove a certain level of knowedge and ability to safely operate a computer/car before they're allowed on the Internet/road.

    Unfortunately, this isn't an ideal world. Until people stop whining that, effectively, "Why do I have to know how to drive? I just want to go places in my car!", we may have to live with this.

    • Why not just make users pay for their bandwidth? This is the real reason ISPs block ports and ban "servers." If Joe Dumbass gets a bill for $200 because his computer is infected with the latest worm, then you'll see him start patching his computer and demanding his software vendors do something about security.

  • This is sooo simple (Score:3, Informative)

    by dfn5 ( 524972 ) on Sunday September 07, 2003 @10:19PM (#6897063) Journal
    The only job the ISP has is shuttling packets back and forth, period. They should not be concerned with the content of those packets. That should be up to the end user/organization to determine what is or is not appropriate for their network.

    I really don't care about making the Internet safe for everyone. Next thing you know we'll be suing gun companies over homicides, I mean ISPs over cyber attacks.

    Isn't the real issue here the fact that Windows has so many security flaws? Maybe Windows just isn't ready for the Internet. I run Solaris, Linux, and MacOS X, with the protection of a Solaris/IPFilter firewall at home and do you think I care about worms and viruses? Nope.

    The only thing I could possibly suggest that the ISPs do is communicate a standard warning: "The surgeon general has determined that Windows can be hazordous to your computer while connected to the Internet." and leave it at that.

  • by pebs ( 654334 ) on Sunday September 07, 2003 @10:37PM (#6897157) Homepage
    the cable/dsl modems themselves should have built in firewalls. setup secure by default. if the user wants to reconfigure or disable it, they should be allowed to do so.
  • In a word... (Score:3, Insightful)

    by The Master Control P ( 655590 ) <ejkeever@nerdNETBSDshack.com minus bsd> on Sunday September 07, 2003 @11:25PM (#6897339)
    No

    I don't trust anyone but myself to filter what I want. Suppose a certain corporation that shall not be named were to lean on ISPs to block common p2p ports?

    Suppose I were working at home as a security consultant and needed acess to all ports, including those used by virii?

    The internet was originally designed with all the intellegence at the ends, and not at the center. This was done to prevent anything like this kind of behavior, where the people with the routers can control what you can access. If it were not for this forethought on behalf of the Internet founders, your ISP would control what you can access.

    And that's what this could easily evolve into. You know the routine. You start with a little. Then they push it a little farther. And a little farther. And a little farther. Then the "internet" is nothing but a glorified TV station, feeding you the same junk in an interactive manner.

    Obligatory BTTF quote: "Admittedly, that is a worst case scenario..."
  • by alizard ( 107678 ) <alizard.ecis@com> on Sunday September 07, 2003 @11:37PM (#6897373) Homepage
    If all the ports people don't ordinarily use get blocked at the router, what's going to happen to anybody who creates new Internet services/applications?

    If the approach is "opt-in", any new Internet service in the future is going to be DOA because Joe Clueless is going to download the new apps, find out "they don't work", and isn't going to contact his ISP where the problem is.

    The other problem is that any ISP big enough to have a clueless "first line" help desk isn't going to be able to handle "please turn this port on" inquiries from Joe Clueless and will be even less able to handle them from anyone with a clue.

    Do we have all the Internet services we're ever going to want?

    Sacrificing future technological possibilities just to keep the current Net running properly isn't exactly the sort of thing we want if we want to do interesting and maybe profitable high-tech things.

    Port 135 and the most commonly abused other ports there's a case for blocking by default.

  • No. (Score:3, Insightful)

    by ikekrull ( 59661 ) on Sunday September 07, 2003 @11:42PM (#6897387) Homepage
    Multiple ports are not the problem - if nothing is using those ports, there would be no traffic on them.

    Blocking ports will only cripple legitimate users of those services while the malicious attackers will find other vectors for attack.

    You can keep blocking ports until everything is tunnelled over port 80 and content only flows 'one way', but we already have that - its called TV/Radio broadcasting.

    If anything, ISPs should filter the users logging onto their systems - e.g. if the system logging on fails security tests, or exhibits virus-carrying behaviour, then outbound access is curtailed or disabled entirely.

    Crippling the internet because Microsoft can't get their shit together is the dumbest thing i've heard this week.

  • Word of the Wise (Score:3, Insightful)

    by Bruha ( 412869 ) on Sunday September 07, 2003 @11:43PM (#6897393) Homepage Journal
    I'm currently at a Holiday INN. Well they're high speed net access. Faster than a T1 is nice but they block port 25. It's a inconvience since I cant send email through my yahoo smtp account nor my email account on another server. Though I'll have to call our hosting service to map port 2525 to 25 to get around this issue it's still an annoyance.

    If the ISP blocks 25 then the spammer will have a buddy setup a box outside the network to accept on some random high port like 37337 and just go to town just like usual. All it serves to do is get in the way of legitimate users in a punish the many for the crimes of a few method.
    • Re:Word of the Wise (Score:3, Interesting)

      by Indy1 ( 99447 )
      i agree that port 25 blocks ARE a pain to end users, it DOES cut down on the sobig attacks, and the dumb ass make money at home by spamming on your dsl /dialup connection. About a month or two ago cox cable blocked port 25 on their cable users, and since then, i've seen ZERO spam attempts from their network. Compare that to rr.com or attbi.com, which i've had to ban their entire network sans the real smtp servers at my firewall because of the massive worm and spam attempts.
  • by Anonymous Coward on Monday September 08, 2003 @01:12AM (#6897694)
    Telecom New Zealand currently offers its business customers a service that allows the customer to configure their own VFW (Virtual FireWall). Changes made to the config of the customers VFW via a https web server are immediately sent to the firewall (inside the Telecom network). While the customer does not have the ability to change the outgoing NAT address of the VFW most other options one would expect from a firewall sitting in the office are available such as; selecting Src/Dst IP, Protocol, Src/Dst ports etc. Incoming services such as customer managed web servers etc. can be set up by the customer though this does require you to pay for an "extra" Public IP address. The firewall follows state and is designed to support large numbers of unique customer networks with overlapping private address space. All in all its a very sexy thing. Sadly there isn't much technical detail on how the system works but the sales blurb makes for interesting reading. http://www.telecom.co.nz/securebusinessinternet/
  • NO!! (Score:4, Insightful)

    by DunbarTheInept ( 764 ) on Monday September 08, 2003 @01:14AM (#6897704) Homepage
    You know how this would work. Those port numbers often used on Windows would be allowed. Anything not on that whitelist would be cut off. So suddenly everyone using Linux under the ISP who wants their services to work correctly gets labelled as an uncouth 'hacker' (in the media meaning of the word, not the original meaning) for wanting to punch through the firewall.

    And then the morons who make the majority of public opinion see the extra hoops Linux users would have to jump through to get their systems to work and think, Oh, my Windows box just works, so I guess it's better. (For example, if Windows sharing port numbers are allowed but NFS port numbers are not, then the general effect is that Windows filesharing works and Unix's does not. No amount of explaining will sway the public opinion on this. It's not based on reasoned thinking.)

    And although I couched this in terms of Windows Vs Linux, the more general case is the real problem - it makes the decision of which technologies will live and which will die be entirely in the hands of the ISPs. It's the equivilent of your phone company saying "You can discuss your pets, your wife, and your kids over our phone lines, but you aren't allowed to talk about radios, televisions, or cable modems over our phone lines. And we'll be listening in and if you try to raise one of those subjects we'll cut your call off."

  • by Ephemeriis ( 315124 ) on Monday September 08, 2003 @06:36AM (#6898440)
    I'm seeing a lot of people on here complaining that they want their ports open...but you need to remember that we are not indicative of the "average" user.

    Like it or not, the Internet no longer consists entirely of technically inclined people. We are outnumbered by folks who just want to read email and surf the web...and don't even know what SSH is.

    The problem is that their ignorance affects the entire Internet community. If a few thousand people get infected with the latest worm and start DDoSing a server, or bogging down the mail relays, everyone is affected - even the technically inclined people who were smart enough not to get infected.

    Your average user just wants an appliance, a tool they can use without too much effort. They don't know about ports, and don't want to. Honestly, they shouldn't have to know everything that we do - it isn't their problem. Just as I don't know everything that my Doctor does...they don't need to know everything that their ISP does.

    For this average user, I think port blocking would be a godsend. Honestly, there really aren't all that many applications that require incoming connections to your home machine....most of the time it is outgoing. Shut down the ports, protect the "average" user, and then let those who know what they're doing open their ports back up.

    yrs,
    Ephemeriis
  • by ollyg ( 675470 ) <oliver.gorwits@c ... ces.oxford.ac.uk> on Monday September 08, 2003 @06:42AM (#6898462)

    uhmm, apart from the slick web interface to ask the user what they want, has anyone thought about the poor sodding router that has to hold all these personalized rules?

    even the big cisco PIX jobbies barf at the thousand rule mark. you'd have to go for a user-wide policy which would put off all the technically competent / meddlers.

    it's just not going to work on this scale, I believe. the solution is to have operating systems and small domestic 'broadband routers' have default-deny policies, and lease the ISP (no matter what size they are) to shifting packets and answering DNS, like they're good at.

  • by HiThere ( 15173 ) * <charleshixsn.earthlink@net> on Monday September 08, 2003 @09:46AM (#6899703)
    If you start blocking every port except 80, everything will get rewritten to use port 80. This will result in a significant increase in overhead, and *NO* increase in security.

    Ports are conventions. We use certain ports for certain functions because we have agreed to . No other reason. We already see programs that don't belong on 80 using it because they need to get through firewalls. This would merely globalize the tendency, and eventually the entire usefullness of ports would be destroyed.

    One can say that this is to protect the innocent, and feel good about things. But this will have as much decent result as most "protect the innocent" laws: None. And it, like most of those, will have significant negative downsides.
  • Nope. (Score:3, Insightful)

    by Quixadhal ( 45024 ) on Monday September 08, 2003 @12:22PM (#6901294) Homepage Journal
    My ISP already does filter several ports for me... and it is very annoying. I have a cable modem (Charter) and they established a policy about "No running servers on a non-expensive-business line", and so they block common server ports like FTP and HTTP. Fine, not a big deal.

    However, some corporate monkey heard the word "server" in relation to "mail server" and decided to block SMTP as well. This isn't outgoing SMTP (which might block some spammers), but incoming SMTP!

    So, Charter has to waste disk space and resources storing my mail for half an hour, I have to jump through fetchmail hoops to pull it down every half hour, and MY sendmail has to go through ugly masquarading so I can still have working properly addressed mail inside my LAN, but have it get converted to THEIR email address outside since I have no way to point my domain's MX record at my mail server.

    Long story, short point. Do you WANT this kind of corporate idiocy as the default for all ISP's? I think a far more reasonable policy is for ISP's to disconnect any customers who send out spam or virii, if they detect them. If the customer calls and asks why they were shut off, give them the answer... their machines are polluted and comprimising the security and operation of the network at large... they should clean them up or pay us $$$ to come do it for them.

"I'm a mean green mother from outer space" -- Audrey II, The Little Shop of Horrors

Working...