Security or Freedom?

[Grok]

Based on the fact that we can't match ports to programs, how do you recommend setting up a firewall?  Just block everything because we don't want to let anything back through, or block nothing since we never know what port something is going to use?

If we block specific ports (which they all do, except for ones that try to do protocol analysis and suck), then we're following the convention that is used everywhere else in the world and it'll work out. 

You're faultering and you know it when falling back on arguments like "used everywhere else in the world" and "it'll work out".  People used to believe the world was flat, but that did not make it right.  And, it did not work out.

To say that there are evil ports which require blocking argues that there are good ports which do not require blocking.  I know you would not argue such a thing.  Port 80 is equally evil as all other ports.  Or, do you believe port 80 is somehow good?  Tell me one port which you believe is more evil than any other one port.  Of course you cannot, because ports are not good or evil.  Anyway, present a valid computer scientistific argument and I'll continue.  Presently you're just trying to defend to save from admitting you're wrong!

[muert0]

666 kind of scares me. Or 139.

[Banana fanna fo fanna]

I should be able to go to firewall.comcast.net, and have a web-based control panel that works from my IP address which lets me selectively pick ports to use. By default, they should have SMTP and netbios blocked, but allow them to be opened by this web-based CP.

[iago]

Based on the fact that we can't match ports to programs, how do you recommend setting up a firewall?  Just block everything because we don't want to let anything back through, or block nothing since we never know what port something is going to use?

If we block specific ports (which they all do, except for ones that try to do protocol analysis and suck), then we're following the convention that is used everywhere else in the world and it'll work out. 

You're faultering and you know it when falling back on arguments like "used everywhere else in the world" and "it'll work out". People used to believe the world was flat, but that did not make it right. And, it did not work out.

To say that there are evil ports which require blocking argues that there are good ports which do not require blocking. I know you would not argue such a thing. Port 80 is equally evil as all other ports. Or, do you believe port 80 is somehow good? Tell me one port which you believe is more evil than any other one port. Of course you cannot, because ports are not good or evil. Anyway, present a valid computer scientistific argument and I'll continue. Presently you're just trying to defend to save from admitting you're wrong!

It involves weighing the potential gains and losses to determine which ports are "evil".  I was trying to argue against an incredibly stupid argument that port numbers don't mean anything because they're just numbers.  You can't argue that, but it doesn't change the fact that some ports are "evil".  NetBOIS ports have no "good" use over the Internet, and HTTP ports DO have a "good" use.  Ports like NetBIOS that are only used for "evil" should be blocked.

Right now, worms taking up a ton of bandwidth and are hugely widespread, and the worms are _using those ports to spread_!  How do you suggest stopping the worms from going around?  Please, make a suggestion.  Education users obviously doesn't work, because people don't care.  ISPs can't do it, because like you said, it's bad.  Who else can do it?

[Banana fanna fo fanna]

What happens when the worms get smart and begin using random ports?

[dxoigmn]

What happens when the worms get smart and begin using random ports?

Generally worms scan a range of ips looking for a specific port (usually a service listening on that port) that can be infected.  They can't really use random  ports and they usually don't have an interface with which they listen for a master to issue it commands.

[Adron]

To say that there are evil ports which require blocking argues that there are good ports which do not require blocking.  I know you would not argue such a thing.  Port 80 is equally evil as all other ports.  Or, do you believe port 80 is somehow good?  Tell me one port which you believe is more evil than any other one port.  Of course you cannot, because ports are not good or evil.  Anyway, present a valid computer scientistific argument and I'll continue.  Presently you're just trying to defend to save from admitting you're wrong!

It sounds like a good idea to block 139, 80, etc by default. Remember that this is the default in current Windows versions. They are the ports used by all clueless Windows users, it's clueless Windows users we're worried about getting infected, and those who have a clue to use a nonstandard port can probably manage their own firewalling. This all adds up to it being a good idea to block ports!

[Thing]

This all adds up to it being a good idea to block ports!

Which ports? And which networks?  How far to the backbones do you go?  I use many ports for a variety of legitimate tasks and many of them are non-standard.  Who is going to compensate me for the time it takes me to reconfigure my devices?

[iago]

What happens when the worms get smart and begin using random ports?

Huh? How do you infect a service on a random port?  That makes no sense, unless the infection is happening before whatever layer takes care of port (For instance, Rose Frag Attack), but that's not the type of attack they're blocking against.

Thing -- You don't use 135, 139, 445 to do legimate things over the internet, do you? 

[muert0]

A worm that scans various ports isn't feasible?

[Adron]

This all adds up to it being a good idea to block ports!

Which ports? And which networks?  How far to the backbones do you go?  I use many ports for a variety of legitimate tasks and many of them are non-standard.  Who is going to compensate me for the time it takes me to reconfigure my devices?

As a reseller of network capacity to end users, you should do a survey of your customers, finding out what old operating systems are common. Then by default block the ports of those services on those operating systems that aren't blocked in that version, but are blocked in the latest version of that operating system (i.e. like Windows XP blocks 139, 445, 80, etc). Your customers should have the option to unblock ports individually. And since this gives them a free security upgrade to the latest OS version, you should of course charge them appropriately.

[iago]

A worm that scans various ports isn't feasible?

Spreading on ports without a known and exploitable service isn't, no.  If you block the main ports that are being used to spread, then, if nothing else, there won't be as many.

For most home users, the ports they have open are ONLY the default windows ones, 135/139/445/1025, and if those are blocked then worms have no way of spreading.

[Arta]

Just blocking ports is a bit pointless, but temporarily blocking ports during outbreaks of things like slammer & blaster is totally a good idea - during an outbreak, it would help prevent the spread of infection. When scans dropped off, it would no longer be a useful measure, and should be removed.

[Thing]

Thing -- You don't use 135, 139, 445 to do legimate things over the internet, do you?

No.

Adron,
While I do feel that the bandwidth providers do have the right to configure their networks however they want, I still don't feel that it is their responsibility to compensate for software manufacturer's insecure and troublesome products.  The root of the problem is the software, not the network.  If the bandwidth providers reduce the symptoms, where is the incentive for the software manufacturer's to fix their product?

With so much bandwidth being wasted, I'm sure the providers are pissed and want to reduce it for that reason.  A better way, which will provide more value to their customers, is to do what Verizon is doing on their DSL network.  Every new Verizon customer receives and nifty Firewall / Router for them to connect with.  By default, all ports are closed and remote management is disabled on their 2Way devices.  You even have the option of getting one with a built in wireless router!  I've been on Verizon's DSL network since it's inception in Dallas and I've noticed a significant decrease in the amount of unwantet traffic coming into my house from it.  Comcast cable network, however, is a worthless piece of crap because they will allow any device to connect and rape their network.

[iago]

Just blocking ports is a bit pointless, but temporarily blocking ports during outbreaks of things like slammer & blaster is totally a good idea - during an outbreak, it would help prevent the spread of infection. When scans dropped off, it would no longer be a useful measure, and should be removed.

Slammer, Sasser, and Blaster, among others, would still be classified as an "outbreak".  We're still getting thousands of infection attempts every hour by Slammer (80000/day =~ 3300/hour = ~1/second).  Our IDS doesn't pick up sasser or blaster, because they require an active connection to be established before their signature can be picked up, and our external facing computers are firewalled off.  The IDS is in front of the firewall, but if the connection attempt is dropped it isn't picked up.