[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <000a01c2d06c$687049f0$0100000a@yrpxb5>
From: yossarian at planet.nl (yossarian)
Subject: SQL Slammer - lessons learned
PS wrote
>> Can you think of a legitimate reason why ISPs should allow
>> ports 135-139/TCP/UDP to be open to the Internet? How about
>> port 445/UDP? Many ISPs now block port 25/TCP (for obvious
>> reasons.) Why not other service ports?
SD wrote
>Are that InternetServiceProviders or InternetServiceCensors?
>I feel free to implement an own strange private protocol using
>UDP 135 and I pay the ISP for routing this. I don't see any
>responsibility for ISPs to care about the content.
I think the answer is in your exemple: If only we were to standardise on an
MS World, vulnerable MS ports would be blockable, w/o collateral damage for
people not adhering to standard MS.
The legitimate reasons Paul asks for, are that ports are only loosely
standardised. With the growing use of flexible port-adressing and
masquerading in P2P clients, concentrating a discussion on certain ports
appears a bit outdated to me. IMHO the real issue is where do we expect to
be protected, or put in another way, who will we blame if our systems go
down?
Do we see the Internet as a massive threat, or do we expect it to be safe
for lightweight use, i.e. less features and freedom = less threats. Funny is
that some people expect people ISP to deny all and only permit what is
necessary, since no one can expect parties connected, such as corporate
networks and home users, to do so themselves - let the ISP set up a FW since
it is too costly and/or too complex for me. Well, about too costly - ISP are
usually commercial entities, so it will raise the prices, nothing in life is
free. It might be commercially viable for ISP's to setup two networks, one
for people that only need three or four internetfunctions (HTTP, POP, SMTP
and IMAP), Nah, don't think so. People might suddenly want to run MSN, or
something else.
My question - must my ISP know all types of traffic legit to me, in order to
service me? And change the rulesets if I update some software? Or should I
apply this knowledge to set up a firewall that suits my own needs? My ISP
can not setup a FW that suits me 100%, since it has other companies /
customers with different needs on the same local loop. So even if my ISP
were to block most of the dangerous traffic, I still would need a FW, since
it cannot block all. And since an ISP must make profit, having them doing MY
firewall be probably be a lot more expensive than if I do it myself.
Powered by blists - more mailing lists