On Thu, 2003-02-06 at 04:41, Nicob wrote: > On Wed, 2003-02-05 at 16:38, Paul Schmehl wrote: > > > Can you think of a legitimate reason why ISPs should allow ports > > 135-139/TCP/UDP to be open to the Internet? How about port 445/UDP? > > IMO, it's not to the ISP to choose wich ports and services should I use. > I pay it (sort of) for a pipe running from my home-computer to the wild > Internet and *that's all*.
I think you're confused about who owns the pipe. The ISPs can do anything they want. Then it's up to you as a consumer to decide if you're willing to pay them for the service they offer - completely open or partially restricted. AOL is an example of this, as are a few others. However, I think the day is coming when ISPs will be held liable for negligence when they have been informed about problems coming from their network and they do nothing to fix them. One option, obviously, is to work with the customer to fix whatever is wrong - get them to patch, close ports, stop services, whatever. But another, *much* easier option, is to simply close the ports themselves. And I predict that many will do that. Port 25 is a good example. There was a time when hardly any ISP in the world would have even considered closing port 25. Now many of them have closed it. It's cheaper to close the port and be done with it than it is to be playing whack-a-mole with an expensive abuse staff. > > I don't want some "services" like transparent proxies, AV scanning at > the mail relay or port filtering. I just want a pipe ... And that's your right. The ISP's right is to close whatever ports they think need to be closed. And then you get to decide if you want to do business with them or take your business elsewhere. Look at it this way. Would you rather have the ISPs closing ports voluntarily? Or the governments doing it by mandate? > > > What about the ISPs whose policy it is to not allow > > customers to run servers? > > That's another problem. > > If I ask for a pipe, I want a pipe. > If I ask for a discount ADSL access with limited amount of trafic and no > allowed hosting (HTTP, FTP, SMTP, SSH, ...), the ISP can restrict the > inbound ports. > Again, you're confusing what you want as a consumer with what any single ISP may think is appropriate. As a consumer you have choices. As a business, so does the ISP. > If the next big vuln/worm is a SSH one, would you agree with an ISP > blocking inbound TCP/22 and forbidding to users to connect to their > home-LAN to check mails, get some files, start the coffe-maker or manage > downloads ? > I would if the worm was destructive enough. Even if they only do it until the crisis is over, it's still better than letting the internet drop to its knees while doing nothing to stop it. -- Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
