Forwarded from: Tony | AVIEN / EWS <tonyat_private> I agree with the proposal. I just recently proposed something similar in an article on my site. I think that the impact would be minimal as the ports recommended for blocking are not commonly used across the Internet. I do agree that users should be primarily responsible for securing their computers- however that isn't always feasible. Some of the recent patches for Windows 2000 for example require Service Pack 2. Service Pack 2 is 100Mb and takes almost an entire day to download via 56k dial-up connection- which a majority of home users still have. So, while home users SHOULD be responsible for securing their computers, vendors should not write such flawed software that it takes patches and updates that are almost as big or bigger than the original application they are fixing. For cases like these, it is my opinion that the vendors should be required to partner with retail outlets and fund the burning and distribution of free CD's. Microsoft offers the larger updates on CD, but they charge for the disc plus shipping & handling. As a user I take offense that they would want another $20 from me to fix the flawed product I already paid for. Retail outlets like Best Buy, CompUSA or even Target and Walmart should be set up to download and mass produce the updates on CD's and distribute them free of charge to anyone who asks- let the vendor foot the bill to finance the operation. Given that the majority of the home user market is on dial-up and can't reasonably download and apply the prerequisites for the current patches, it is unreasonable to put the burden on them. The ISP's should be taking proactive measures- including blocking these ports- to protect themselves and their patched paying customers from the unpatched customers. Even though I have all of the patches and updates I was still affected by the amount of traffic on my ISP's network from the infected customers. The network was effectively shut down from the volume of traffic. As a paying customer who did what I was supposed to do to protect myself, I expect my ISP to do what they are supposed to do to protect the whole network. Tony Bradley, CISSP, MCSE2k, MCSA, MCP, A+ About.com Guide for Internet / Network Security http://netsecurity.about.com -=- Date: Thu, 11 Sep 2003 18:12:39 +1000 From: Russell Coker <russellat_private> To: InfoSec News <isnat_private> Subject: Re: [ISN] ISPs Could Block Ports to Reduce Spread of Malware On Thu, 11 Sep 2003 16:03, InfoSec News wrote: > Forwarded from: Mark Bernard <mbernardat_private> > > I do not agree with this recommendation for two reasons, see below: > > First off, what about all the legitimate uses for these ports? This > strategy would in fact reduce and/or eliminate the functionality of > thousands of computers around the world. Functionality that has > already been sold and paid for. In the rare event that someone really wants to share files over the Internet then they can apply to their ISP to have the default filter turned off. I've configured ISPs in that manner and customers have been happy. For a large ISP you could even have a web based system for administering firewall rules for such things. However I haven't worked for a large ISP that was so interested in customer security (does such a large ISP exist?). > Secondly, this strategy in fact removes accountability from where it > belongs, the computer user. It is reminiscent of the early dark-days > of the Internet when the law makers didn't know how to assess > damages caused by through Internet connections so they made ISPs > accountable. That was a desperate maneuver that failed! If the user can choose between several options of firewalls then the accountability is still on them. They can choose the default option and have those ports blocked, or they can have them un-blocked and take their own measures to ensure that they aren't vulnerable to such attacks. Having users be directly accountable for their actions is fine in theory, however in practise it can be difficult to achieve with even the most skilled users. Imagine the scenario where someone has a secure machine, they go on holidays for a month in a remote location and forget about computers. While they are away a security hole is discovered and a worm is written to exploit it. Now how will they discover about security holes when they get home? Probably from the Internet, but to access their email they have to go online leaving a window of opportunity for the worm... The best solution is to have some aspects of PC security delegated from the user to people and organizations that are better equipped to handle it. I don't deal with all aspects of car safety, I rely on my mechanic to deal with most of it for me. Computer users should be able to rely on their ISP in a similar manner. I think that the way ISPs would ideally operate is that whenever a new virus or worm is released they would block ports as appropriate to stop it for all their users. So when a SMB worm is released they would block the SMB ports for everyone. Then users who have fixed their PC (or who's PC was not vulnerable) can configure their firewall entry to stop blocking that port IF they need it. Users who don't need that port (the majority) would never have it re-enabled and not miss it. Finally an ideal ISP would optionally scan their customers machines for vulnerabilities (default being to scan the machine if not specifically requested not to). Then if they detect a vulnerability they can block whichever ports are necessary to prevent an attack (cutting the machine off from all net access apart from POP/IMAP if necessary) until the user fixes it. Russell Coker - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Sep 15 2003 - 03:23:52 PDT