[Dshield] should ISPs close ports (was: Windows Messenger Popup Spam on UDP Port 1026)

Dale Sampson dalejsampson at ameritech.net
Mon Jun 23 14:22:20 GMT 2003


> My dream: An ISP that by default closes all ports, and has a little web
based test to check your
> "security skillz". The higher your score, the more ports will open up ;-).

I LOVE idealism :~)  This would be a nice state of affairs. I suspect that
with the current 'minimal' (and in some cases POORLY trained) technical and
abuse staff of many ISP's (I'm especially thinking of 'big' ISPs),  this
technique would result in a mess.

My network connects to the internet via Ameritech DSL. Certainly, the bulk
of my firewall 'hits' are the result of other users on my  segment with
inappropriately configured computers/networks. I have a floating IP -
sometimes it rolls over to x.x.x.255. On these days, I don't even bother
doing a dshield report as the log is filled with 1000's of stupid hits (137
& such). Your dream would fix that. The flip side is I shudder when I think
about trying to get my IPS's tech staff to open a needed port.



Dale Sampson, RN
http://www.dalesplace.net/dalesplace.htm
 


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Johannes Ullrich
Sent: Monday, June 23, 2003 7:40 AM
To: General DShield Discussion List
Subject: [Dshield] should ISPs close ports (was: Windows Messenger Popup
Spam on UDP Port 1026)



> ok, it's Monday I'll throw in another 0,02?
> knout, petard - what next ??

ok. having gone through one set of asbestos underwear while reading the
comments to my first post, I cant help but to come back to ask for more
;-)

I think one has to distinguish between what I call "home users" and
"professional users". A home user essentially is identified by having no
professional sysadmin at the side to maintain systems. A lot of small
businesses fall in this category as well. A professional is a company (or
home user) who knows about system configuration and basic security policies.

It was mentioned that blocking certain ports will interfer with running some
common applications. The most problematic is probably SMTP. One argument
(from memory, not copy/pasted) was that an ISP should rather get a well
working abuse department vs. taking the cheap way out and block ports.

In my opinion, this is a good argument, if you are willing to pay for the
abuse department. It is quite expensive to run a decent abuse department
(hire people that can read firewall logs, have them contact end users ... )

So if by blocking a few ports (I only advocate 135-139 and 445 at this
point), an ISP can eliminate 80% of the "abuse" at a reasonable small cost.
The abuse department will now be able to deal with the remainder on a per
user basis. ISPs already offer "business accounts" which are usually not
filtered or even provide some customized filtering to meet your needs. Sure,
they cost more, but somehow an ISP has to find a way to pay for all the
extra service.

I do not advocate blocking ports anywhere at the backbone. The filters
should be applied as close to the end user as possible. 

My dream: An ISP that by default closes all ports, and has a little web
based test to check your "security skillz". The higher your score, the more
ports will open up ;-).

Current situation: One of my ISPs did setup my DSL router with default
passwords (and kind of yelled at me as I called support once and they found
I changed it). They never offered any advice (not even a simple web page) on
how to use the firewall build into the device.

(BTW: regarding the asbestos comment: I am actually pleased with the tone of
the replies. While some of them didn't like my opinion, everyone stuck to
technical arguments and didn't resort to simple "flaming".
THANKS)


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list