• Welcome to Valhalla Legends Archive.
 

Security or Freedom?

Started by iago, September 27, 2004, 04:14 PM

Previous topic - Next topic

Grok

Quote from: iago on September 28, 2004, 12:19 PM
Based on the fact that we can't match ports to programs, how do you recommend setting up a firewall?  Just block everything because we don't want to let anything back through, or block nothing since we never know what port something is going to use?

If we block specific ports (which they all do, except for ones that try to do protocol analysis and suck), then we're following the convention that is used everywhere else in the world and it'll work out. 

You're faultering and you know it when falling back on arguments like "used everywhere else in the world" and "it'll work out".  People used to believe the world was flat, but that did not make it right.  And, it did not work out.

To say that there are evil ports which require blocking argues that there are good ports which do not require blocking.  I know you would not argue such a thing.  Port 80 is equally evil as all other ports.  Or, do you believe port 80 is somehow good?  Tell me one port which you believe is more evil than any other one port.  Of course you cannot, because ports are not good or evil.  Anyway, present a valid computer scientistific argument and I'll continue.  Presently you're just trying to defend to save from admitting you're wrong!

muert0

666 kind of scares me. Or 139.
To lazy for slackware.

Banana fanna fo fanna

I should be able to go to firewall.comcast.net, and have a web-based control panel that works from my IP address which lets me selectively pick ports to use. By default, they should have SMTP and netbios blocked, but allow them to be opened by this web-based CP.

iago

Quote from: Grok on September 28, 2004, 02:01 PM
Quote from: iago on September 28, 2004, 12:19 PM
Based on the fact that we can't match ports to programs, how do you recommend setting up a firewall?  Just block everything because we don't want to let anything back through, or block nothing since we never know what port something is going to use?

If we block specific ports (which they all do, except for ones that try to do protocol analysis and suck), then we're following the convention that is used everywhere else in the world and it'll work out. 

You're faultering and you know it when falling back on arguments like "used everywhere else in the world" and "it'll work out". People used to believe the world was flat, but that did not make it right. And, it did not work out.

To say that there are evil ports which require blocking argues that there are good ports which do not require blocking. I know you would not argue such a thing. Port 80 is equally evil as all other ports. Or, do you believe port 80 is somehow good? Tell me one port which you believe is more evil than any other one port. Of course you cannot, because ports are not good or evil. Anyway, present a valid computer scientistific argument and I'll continue. Presently you're just trying to defend to save from admitting you're wrong!

It involves weighing the potential gains and losses to determine which ports are "evil".  I was trying to argue against an incredibly stupid argument that port numbers don't mean anything because they're just numbers.  You can't argue that, but it doesn't change the fact that some ports are "evil".  NetBOIS ports have no "good" use over the Internet, and HTTP ports DO have a "good" use.  Ports like NetBIOS that are only used for "evil" should be blocked.

Right now, worms taking up a ton of bandwidth and are hugely widespread, and the worms are _using those ports to spread_!  How do you suggest stopping the worms from going around?  Please, make a suggestion.  Education users obviously doesn't work, because people don't care.  ISPs can't do it, because like you said, it's bad.  Who else can do it?
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Banana fanna fo fanna

What happens when the worms get smart and begin using random ports?

dxoigmn

Quote from: $t0rm on September 28, 2004, 05:33 PM
What happens when the worms get smart and begin using random ports?

Generally worms scan a range of ips looking for a specific port (usually a service listening on that port) that can be infected.  They can't really use random  ports and they usually don't have an interface with which they listen for a master to issue it commands.

Adron

Quote from: Grok on September 28, 2004, 02:01 PM
To say that there are evil ports which require blocking argues that there are good ports which do not require blocking.  I know you would not argue such a thing.  Port 80 is equally evil as all other ports.  Or, do you believe port 80 is somehow good?  Tell me one port which you believe is more evil than any other one port.  Of course you cannot, because ports are not good or evil.  Anyway, present a valid computer scientistific argument and I'll continue.  Presently you're just trying to defend to save from admitting you're wrong!

It sounds like a good idea to block 139, 80, etc by default. Remember that this is the default in current Windows versions. They are the ports used by all clueless Windows users, it's clueless Windows users we're worried about getting infected, and those who have a clue to use a nonstandard port can probably manage their own firewalling. This all adds up to it being a good idea to block ports!

Thing

QuoteThis all adds up to it being a good idea to block ports!
Which ports? And which networks?  How far to the backbones do you go?  I use many ports for a variety of legitimate tasks and many of them are non-standard.  Who is going to compensate me for the time it takes me to reconfigure my devices?
That sucking sound you hear is my bandwidth.

iago

Quote from: $t0rm on September 28, 2004, 05:33 PM
What happens when the worms get smart and begin using random ports?
Huh? How do you infect a service on a random port?  That makes no sense, unless the infection is happening before whatever layer takes care of port (For instance, Rose Frag Attack), but that's not the type of attack they're blocking against.

Thing -- You don't use 135, 139, 445 to do legimate things over the internet, do you? 

This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


muert0

A worm that scans various ports isn't feasible?
To lazy for slackware.

Adron

Quote from: Thing on September 28, 2004, 06:01 PM
QuoteThis all adds up to it being a good idea to block ports!
Which ports? And which networks?  How far to the backbones do you go?  I use many ports for a variety of legitimate tasks and many of them are non-standard.  Who is going to compensate me for the time it takes me to reconfigure my devices?

As a reseller of network capacity to end users, you should do a survey of your customers, finding out what old operating systems are common. Then by default block the ports of those services on those operating systems that aren't blocked in that version, but are blocked in the latest version of that operating system (i.e. like Windows XP blocks 139, 445, 80, etc). Your customers should have the option to unblock ports individually. And since this gives them a free security upgrade to the latest OS version, you should of course charge them appropriately.


iago

Quote from: muert0 on September 28, 2004, 11:17 PM
A worm that scans various ports isn't feasible?

Spreading on ports without a known and exploitable service isn't, no.  If you block the main ports that are being used to spread, then, if nothing else, there won't be as many.

For most home users, the ports they have open are ONLY the default windows ones, 135/139/445/1025, and if those are blocked then worms have no way of spreading.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Arta

Just blocking ports is a bit pointless, but temporarily blocking ports during outbreaks of things like slammer & blaster is totally a good idea - during an outbreak, it would help prevent the spread of infection. When scans dropped off, it would no longer be a useful measure, and should be removed.

Thing

QuoteThing -- You don't use 135, 139, 445 to do legimate things over the internet, do you?
No.

Adron,
While I do feel that the bandwidth providers do have the right to configure their networks however they want, I still don't feel that it is their responsibility to compensate for software manufacturer's insecure and troublesome products.  The root of the problem is the software, not the network.  If the bandwidth providers reduce the symptoms, where is the incentive for the software manufacturer's to fix their product?

With so much bandwidth being wasted, I'm sure the providers are pissed and want to reduce it for that reason.  A better way, which will provide more value to their customers, is to do what Verizon is doing on their DSL network.  Every new Verizon customer receives and nifty Firewall / Router for them to connect with.  By default, all ports are closed and remote management is disabled on their 2Way devices.  You even have the option of getting one with a built in wireless router!  I've been on Verizon's DSL network since it's inception in Dallas and I've noticed a significant decrease in the amount of unwantet traffic coming into my house from it.  Comcast cable network, however, is a worthless piece of crap because they will allow any device to connect and rape their network.
That sucking sound you hear is my bandwidth.

iago

Quote from: Arta[vL] on September 29, 2004, 07:32 AM
Just blocking ports is a bit pointless, but temporarily blocking ports during outbreaks of things like slammer & blaster is totally a good idea - during an outbreak, it would help prevent the spread of infection. When scans dropped off, it would no longer be a useful measure, and should be removed.

Slammer, Sasser, and Blaster, among others, would still be classified as an "outbreak".  We're still getting thousands of infection attempts every hour by Slammer (80000/day =~ 3300/hour = ~1/second).  Our IDS doesn't pick up sasser or blaster, because they require an active connection to be established before their signature can be picked up, and our external facing computers are firewalled off.  The IDS is in front of the firewall, but if the connection attempt is dropped it isn't picked up.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


|