cancel
Showing results for 
Search instead for 
Did you mean: 

PlusNet Firewall - Port Blocking Suggestions

andyleemeuk
Newbie
Posts: 9
Registered: ‎07-04-2013

PlusNet Firewall - Port Blocking Suggestions

Dear Plus Net Admin Guru's,
Firstly, thank you for providing a set of Server side firewall settings which can be chosen and set up by the user Smiley and I have some suggestions to improve the service...
1. Add uPnP to the list of ports blocked in both the "low" and "High" protocol settings.  These ports, as you will be aware, are for use inside a network only and should never be open on the public facing side of the network.  However, a recent exploit (set out in great detail on the Security Now Podcast - Episode 389 http://twit.tv/show/security-now/389 and by Rapid 7 in their report (NB: Download link) http://bit.ly/upnpflaws) detail that worldwide there are some 81 million routers which open uPnP to the "public" facing side of the internet and therefore allow the network to be attacked remotly by some unscrupulous individuals.
If PlusNet blocked UDP port 1900 and TCP port 2869 in both the "low" and "High" protocol settings this would prevent any attack on a vulnerable Plus Net user without any issues to the users connection... these ports should not be functional on the public facing side in any event!!
Rapid 7's recommendations to ISP's in light of this exploit was:
Quote
Internet Service Providers
ISPs should review any equipment that they are providing to subscribers to verify that UPnP is not exposed on the WAN interface.
If the equipment is affected, one of the following solutions should be considered:

  • Pushing a configuration update that disables UPnP across the subscriber base

  • Pushing a software update that removes UPnP capabilities from the device

  • Replacing customer equipment with a device that can be configured securely

  • Implementing network-wide ACLs for UDP port 1900 and specific TCP ports


Implementing the network wide block on uPnP seems like a sensible and quick way of protecting Plus Net users from this exploit.
2. Turn on the firewall to low by default for all subscribers and e-mail them all to suggest that High may be a more appropriate setting for them.
Many thanks
Andy
14 REPLIES 14
alanf
Aspiring Pro
Posts: 1,931
Thanks: 78
Fixes: 1
Registered: ‎17-10-2007

Re: PlusNet Firewall - Port Blocking Suggestions

I don't think much of our chances getting this suggestion implemented. Four years ago it was discovered that the firewall was turned off each time one changed product. In February 2013 I discovered that this was still the case.
http://community.plus.net/forum/index.php/topic,74679.0.html
adamwalker
Plusnet Help Team
Plusnet Help Team
Posts: 16,926
Thanks: 867
Fixes: 223
Registered: ‎27-04-2007

Re: PlusNet Firewall - Port Blocking Suggestions

Thanks for the feedback and the suggestion about that.
If this post resolved your issue please click the 'This fixed my problem' button
 Adam Walker
 Plusnet Help Team
MsDizzie
Grafter
Posts: 132
Registered: ‎21-11-2012

Re: PlusNet Firewall - Port Blocking Suggestions

Well it's still the case. I changed product recently and read through the list of "closed questions" that are generated (8 on total) on Help Assistant - Your Questions
Service Notification
1:49am, Saturday 11 May 2013
The customer\'s firewall settings have been updated to \"Firewall off\"
The generated email should direct the customer to check the "closed questions" to make sure everything is OK.
(The Plusnet internal ticket is/was #74543)

Anotherone
Champion
Posts: 19,107
Thanks: 457
Fixes: 21
Registered: ‎31-08-2007

Re: PlusNet Firewall - Port Blocking Suggestions

Well I've asked for an update on the issue of the Firewall being off on New/Change of Product.
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: PlusNet Firewall - Port Blocking Suggestions

What I would like to see is a setting to truly block P2P traffic.
Can't not be done successfully with a simple port filter it needs something much more sophisticated. But Plusnet must have the necessary technology as they can traffic manage P2P traffic.
The reason I suggest this is I see lots of posts (in other forums) asking how to stop someone on the home network from using P2P, hogging the bandwidth, and disrupting everyone else's internet. It's often from someone in student accommodation Wink
I'm sure such a system would be a good marketing point for the ISP.
eg stop one person hogging the bandwidth, downloading questionable material and leaving the owner responsible etc.
Anonymous
Not applicable

Re: PlusNet Firewall - Port Blocking Suggestions

Isn't that what the "Safe Surf Option" is supposed to do ?
Anotherone
Champion
Posts: 19,107
Thanks: 457
Fixes: 21
Registered: ‎31-08-2007

Re: PlusNet Firewall - Port Blocking Suggestions

It's supposed to, but as has been pointed out before, you can configure your own ports in some P2P software. Whilst Safe Surf might stop the basic stuff and perhaps average youngsters from doing P2P, the clever buggers will soon find ways round it and tell their less clever mates. So, I quite like npr's idea, but I think it ought to be part of a modified Safe Surf rather than the Firewall.
What I would like to see with the Firewall would be a sort of Super High setting which blocks all incoming ports to all protocols but allows the user to configure which ports and protocols to open.
MsDizzie
Grafter
Posts: 132
Registered: ‎21-11-2012

Re: PlusNet Firewall - Port Blocking Suggestions

Quote from: Anotherone
Well I've asked for an update on the issue of the Firewall being off on New/Change of Product.

So you have Anotherone and I missed it!. Anyway, I was just trying to highlight that we would like a response from Plusnet to see what's happening on this particular issue that's been outstanding for a few years!!!
I assumed Safe Surf was targeted at families, but I can see that bandwidth hogs etc in a household can cause a few problems too.
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: PlusNet Firewall - Port Blocking Suggestions

@purleigh,
Thanks I wasn't aware of PN's safe surf, only been here a few months.
I've now had a look and am sorry to say I find it a tad under whelming. IMO it's too basic to block most P2P software, in fact it will not even block my own usenet connection.
Sorry for the rant, but I feel strongly about security software which promises what it's can't deliver is just another form of malware IMO.  Angry
Anotherone
Champion
Posts: 19,107
Thanks: 457
Fixes: 21
Registered: ‎31-08-2007

Re: PlusNet Firewall - Port Blocking Suggestions

That's hardly a Rant, and as I said in reply #7 it is very basic, so if your suggestion was used to Upgrade it, that would be good!
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: PlusNet Firewall - Port Blocking Suggestions

Quote from: Anotherone
That's hardly a Rant,

What I left unsaid was Wink
In truth I'm disgusted with PN for promising the following which "safe surf" can not possibly deliver.
Quote
" Set My Safe Surf Option
Turning on Safe Surf gives you added online security by blocking unwanted network traffic. It stops access to Peer-to-Peer software or binary USENET on your account, but still lets you get online to surf, chat, email and play games."

May have been true 20 years ago but not now.
Anotherone
Champion
Posts: 19,107
Thanks: 457
Fixes: 21
Registered: ‎31-08-2007

Re: PlusNet Firewall - Port Blocking Suggestions

But it does go on to say (at the bottom of the page)
Quote
Please note: We can’t guarantee that Safe Surf will block all Peer-to-Peer and USENET traffic. Some Peer-to-Peer applications can be set to use a different port if the common port is blocked.

but that's not really an excuse for not upgrading it, especially these days when attacks are getting more sophisticated!
Anonymous
Not applicable

Re: PlusNet Firewall - Port Blocking Suggestions

@npr,  unfortunately I have never investigated P2P so can't help any further with this discussion, but is it worth you outlining here what you would consider adequate measures and how it might be done, so that we can discuss and compare that with the existing "Safe Surf" feature, and try and encourage Plusnet to improve it in such a way that you and other forum contributors would like to see P2P blocking implemented.
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: PlusNet Firewall - Port Blocking Suggestions

Quote from: Anotherone
But it does go on to say (at the bottom of the page)

Yes, for me, that just confirms Plusnet know they are over egging their description of what "safe surf" will do.  Undecided
@purleigh
Sorry that's getting beyond  my experience.
I do know it's beyond a simple port blocking firewall though.