PlusNet Firewall - Port Blocking Suggestions
Dear Plus Net Admin Guru's,
Firstly, thank you for providing a set of Server side firewall settings which can be chosen and set up by the user
and I have some suggestions to improve the service...
1. Add uPnP to the list of ports blocked in both the "low" and "High" protocol settings. These ports, as you will be aware, are for use inside a network only and should never be open on the public facing side of the network. However, a recent exploit (set out in great detail on the Security Now Podcast - Episode 389 http://twit.tv/show/security-now/389 and by Rapid 7 in their report (NB: Download link) http://bit.ly/upnpflaws) detail that worldwide there are some 81 million routers which open uPnP to the "public" facing side of the internet and therefore allow the network to be attacked remotly by some unscrupulous individuals.
If PlusNet blocked UDP port 1900 and TCP port 2869 in both the "low" and "High" protocol settings this would prevent any attack on a vulnerable Plus Net user without any issues to the users connection... these ports should not be functional on the public facing side in any event!!
Rapid 7's recommendations to ISP's in light of this exploit was:
Implementing the network wide block on uPnP seems like a sensible and quick way of protecting Plus Net users from this exploit.
2. Turn on the firewall to low by default for all subscribers and e-mail them all to suggest that High may be a more appropriate setting for them.
Many thanks
Andy
Firstly, thank you for providing a set of Server side firewall settings which can be chosen and set up by the user
and I have some suggestions to improve the service...1. Add uPnP to the list of ports blocked in both the "low" and "High" protocol settings. These ports, as you will be aware, are for use inside a network only and should never be open on the public facing side of the network. However, a recent exploit (set out in great detail on the Security Now Podcast - Episode 389 http://twit.tv/show/security-now/389 and by Rapid 7 in their report (NB: Download link) http://bit.ly/upnpflaws) detail that worldwide there are some 81 million routers which open uPnP to the "public" facing side of the internet and therefore allow the network to be attacked remotly by some unscrupulous individuals.
If PlusNet blocked UDP port 1900 and TCP port 2869 in both the "low" and "High" protocol settings this would prevent any attack on a vulnerable Plus Net user without any issues to the users connection... these ports should not be functional on the public facing side in any event!!
Rapid 7's recommendations to ISP's in light of this exploit was:
Quote Internet Service Providers
ISPs should review any equipment that they are providing to subscribers to verify that UPnP is not exposed on the WAN interface.
If the equipment is affected, one of the following solutions should be considered:
- Pushing a configuration update that disables UPnP across the subscriber base
- Pushing a software update that removes UPnP capabilities from the device
- Replacing customer equipment with a device that can be configured securely
- Implementing network-wide ACLs for UDP port 1900 and specific TCP ports
Implementing the network wide block on uPnP seems like a sensible and quick way of protecting Plus Net users from this exploit.
2. Turn on the firewall to low by default for all subscribers and e-mail them all to suggest that High may be a more appropriate setting for them.
Many thanks
Andy
What I would like to see is a setting to truly block P2P traffic.
Can't not be done successfully with a simple port filter it needs something much more sophisticated. But Plusnet must have the necessary technology as they can traffic manage P2P traffic.
The reason I suggest this is I see lots of posts (in other forums) asking how to stop someone on the home network from using P2P, hogging the bandwidth, and disrupting everyone else's internet. It's often from someone in student accommodation
I'm sure such a system would be a good marketing point for the ISP.
eg stop one person hogging the bandwidth, downloading questionable material and leaving the owner responsible etc.
Can't not be done successfully with a simple port filter it needs something much more sophisticated. But Plusnet must have the necessary technology as they can traffic manage P2P traffic.
The reason I suggest this is I see lots of posts (in other forums) asking how to stop someone on the home network from using P2P, hogging the bandwidth, and disrupting everyone else's internet. It's often from someone in student accommodation
I'm sure such a system would be a good marketing point for the ISP.
eg stop one person hogging the bandwidth, downloading questionable material and leaving the owner responsible etc.
@purleigh,
Thanks I wasn't aware of PN's safe surf, only been here a few months.
I've now had a look and am sorry to say I find it a tad under whelming. IMO it's too basic to block most P2P software, in fact it will not even block my own usenet connection.
Sorry for the rant, but I feel strongly about security software which promises what it's can't deliver is just another form of malware IMO.
Thanks I wasn't aware of PN's safe surf, only been here a few months.
I've now had a look and am sorry to say I find it a tad under whelming. IMO it's too basic to block most P2P software, in fact it will not even block my own usenet connection.
Sorry for the rant, but I feel strongly about security software which promises what it's can't deliver is just another form of malware IMO.
Quote from: Anotherone That's hardly a Rant,
What I left unsaid was
In truth I'm disgusted with PN for promising the following which "safe surf" can not possibly deliver.
Quote " Set My Safe Surf Option
Turning on Safe Surf gives you added online security by blocking unwanted network traffic. It stops access to Peer-to-Peer software or binary USENET on your account, but still lets you get online to surf, chat, email and play games."
May have been true 20 years ago but not now.
Quote from: Anotherone But it does go on to say (at the bottom of the page)
Yes, for me, that just confirms Plusnet know they are over egging their description of what "safe surf" will do.
@purleigh
Sorry that's getting beyond my experience.
I do know it's beyond a simple port blocking firewall though.