Re: ISPs Could Block Ports to Reduce Spread of Malware (2 messages)

[InfoSec News <isn () c4i org>]

Forwarded from: Tony | AVIEN / EWS <tony () avien org>

I agree with the proposal. I just recently proposed something similar
in an article on my site.

I think that the impact would be minimal as the ports recommended for
blocking are not commonly used across the Internet.

I do agree that users should be primarily responsible for securing
their computers- however that isn't always feasible. Some of the
recent patches for Windows 2000 for example require Service Pack 2.
Service Pack 2 is 100Mb and takes almost an entire day to download via
56k dial-up connection- which a majority of home users still have. So,
while home users SHOULD be responsible for securing their computers,
vendors should not write such flawed software that it takes patches
and updates that are almost as big or bigger than the original
application they are fixing.

For cases like these, it is my opinion that the vendors should be
required to partner with retail outlets and fund the burning and
distribution of free CD's. Microsoft offers the larger updates on CD,
but they charge for the disc plus shipping & handling. As a user I
take offense that they would want another $20 from me to fix the
flawed product I already paid for. Retail outlets like Best Buy,
CompUSA or even Target and Walmart should be set up to download and
mass produce the updates on CD's and distribute them free of charge to
anyone who asks- let the vendor foot the bill to finance the
operation.

Given that the majority of the home user market is on dial-up and
can't reasonably download and apply the prerequisites for the current
patches, it is unreasonable to put the burden on them.

The ISP's should be taking proactive measures- including blocking
these ports- to protect themselves and their patched paying customers
from the unpatched customers. Even though I have all of the patches
and updates I was still affected by the amount of traffic on my ISP's
network from the infected customers. The network was effectively shut
down from the volume of traffic. As a paying customer who did what I
was supposed to do to protect myself, I expect my ISP to do what they
are supposed to do to protect the whole network.

Tony Bradley, CISSP, MCSE2k, MCSA, MCP, A+
About.com Guide for Internet / Network Security
http://netsecurity.about.com 

  
-=-


Date: Thu, 11 Sep 2003 18:12:39 +1000
From: Russell Coker <russell () coker com au>
To: InfoSec News <isn () c4i org>
Subject: Re: [ISN] ISPs Could Block Ports to Reduce Spread of Malware

On Thu, 11 Sep 2003 16:03, InfoSec News wrote:
> Forwarded from: Mark Bernard <mbernard () nbnet nb ca>
>
> I do not agree with this recommendation for two reasons, see below:
>
> First off, what about all the legitimate uses for these ports? This
> strategy would in fact reduce and/or eliminate the functionality of
> thousands of computers around the world. Functionality that has
> already been sold and paid for.

In the rare event that someone really wants to share files over the
Internet then they can apply to their ISP to have the default filter
turned off.  I've configured ISPs in that manner and customers have
been happy.

For a large ISP you could even have a web based system for
administering firewall rules for such things.  However I haven't
worked for a large ISP that was so interested in customer security
(does such a large ISP exist?).

> Secondly, this strategy in fact removes accountability from where it
> belongs, the computer user. It is reminiscent of the early dark-days
> of the Internet when the law makers didn't know how to assess
> damages caused by through Internet connections so they made ISPs
> accountable. That was a desperate maneuver that failed!

If the user can choose between several options of firewalls then the
accountability is still on them.  They can choose the default option
and have those ports blocked, or they can have them un-blocked and
take their own measures to ensure that they aren't vulnerable to such
attacks.

Having users be directly accountable for their actions is fine in
theory, however in practise it can be difficult to achieve with even
the most skilled users.  Imagine the scenario where someone has a
secure machine, they go on holidays for a month in a remote location
and forget about computers.  While they are away a security hole is
discovered and a worm is written to exploit it.  Now how will they
discover about security holes when they get home?  Probably from the
Internet, but to access their email they have to go online leaving a
window of opportunity for the worm...

The best solution is to have some aspects of PC security delegated
from the user to people and organizations that are better equipped to
handle it.  I don't deal with all aspects of car safety, I rely on my
mechanic to deal with most of it for me.  Computer users should be
able to rely on their ISP in a similar manner.

I think that the way ISPs would ideally operate is that whenever a new
virus or worm is released they would block ports as appropriate to
stop it for all their users.  So when a SMB worm is released they
would block the SMB ports for everyone.  Then users who have fixed
their PC (or who's PC was not vulnerable) can configure their firewall
entry to stop blocking that port IF they need it.  Users who don't
need that port (the majority) would never have it re-enabled and not
miss it.

Finally an ideal ISP would optionally scan their customers machines
for vulnerabilities (default being to scan the machine if not
specifically requested not to).  Then if they detect a vulnerability
they can block whichever ports are necessary to prevent an attack
(cutting the machine off from all net access apart from POP/IMAP if
necessary) until the user fixes it.


Russell Coker



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.