Yes.
Owen
On Oct 23, 2009, at 2:19 PM, Lee Riemer wrote:
Isn't blocking any port against the idea of Net Neutrality?
Justin Shore wrote:
Owen DeLong wrote:
Blocking ports that the end user has not asked for is bad.
I was going to ask for a clarification to make sure I read your
statement correctly but then again it's short enough I really don't
see any room to misinterpret it. Do you seriously think that a
typical residential user has the required level of knowledge to
call their SP and ask for them to block tcp/25, tcp & udp/1433 and
1434, and a whole list of common open proxy ports? While they're
at it they might ask the SP to block the C&C ports for Bobax and
Kraken. I'm sure all residential users know that they use ports
447 and 13789. If so then send me some of your users. You must be
serving users around the MIT campus.
Doing it and refusing to unblock is worse.
How you you propose we pull a customer's dynamically-assigned IP
out of a DHCP pool so we can treat it differently? Not all SPs use
customer-facing AUTH. I can think of none that do for CATV though
I'm sure someone will now point an oddball SP that I've never heard
of before.
Some ISPs have the even worse practice of blocking 587 and a few
even
go to the horrible length to block 465.
I would call that a very bad practice. I haven't personally seen a
mis-configured MTA listening on the MSP port so I don't think they
can make he claim that the MSP port is a common security risk. I
would call tcp/587 a very safe port to have traverse my network. I
think those ISPs are either demonstrating willful ignorance or
marketing malice.
A few hotel gateways I have encountered are dumb enough to think
they can block TCP/53
which is always fun.
The hotel I stayed in 2 weeks ago that housed a GK class I took had
just such a proxy. It screwed up DNS but even worse it completely
hosed anything trying to tunnel over HTTP. OCS was dead in the
water. My RPC-over-HTTP Outlook client couldn't work either.
Fortunately they didn't mess with IPSec VPN or SSH. Either way it
didn't matter much since the network was unusable (12 visible APs
from room, all on overlapping 802.11b/g channels). The average
throughput was .02Mbps.
Lovely for you, but, not particularly helpful to your customers
who may actually want to use some of those services.
I take a hard line on this. I will not let the technical ignorance
of the average residential user harm my other customers. There is
absolutely no excuse for using Netbios or MS-SQL over the Internet
outside of an encrypted tunnel. Any user smart enough to use a
proxy is smart enough to pick a non-default port. Any residential
user running a proxy server locally is in violation of our AUP
anyway and will get warned and then terminated. My filtering helps
99.99% of my userbase. The .001% that find this basic security
filter intolerable can speak with their wallets. They can find
themselves another provider if they want to use those ports or pay
for a business circuit where we filter very little on the
assumption they as a business have the technical competence to
handle basic security on their own. (The actual percentage of
users that have raised concerns in the past 3 years is .0008%. I
spoke with each of them and none decided to leave our service.)
We've been down the road of no customer-facing ingress ACLs. We've
fought the battles of getting large swaths of IPs blacklisted
because of a few users' technical incompetence. We've had large
portions of our network null-routed in large SPs. Then we got our
act together and stopped acting like those ISPs who we all love to
bitch about, that do not manage their customer traffic, and are
poor netizens of this shared resource we call the Internet. Our
problems have all but gone away. Our residential and business users
no longer call in on a daily basis to report blacklisting
problems. We no longer have reachability issues with networks that
got fed up with the abuse coming from our compromised users and
null-routed us. I stand by our results as proof that what we're
doing is right. Our customers seem to agree and that's what matters.
Justin
