Providers removing blocks on port 135?
Iljitsch van Beijnum
iljitsch at muada.com
Sun Sep 21 10:44:18 UTC 2003
On zaterdag, sep 20, 2003, at 21:36 Europe/Amsterdam, Sean Donelan
wrote:
> Should any dialup, dsl, cable, wi-fi, dhcp host be able to use any
> service
> at any time? For example run an SMTP mailer, or leave Network
> Neighborhood open for others to browse or install software on their
> computers?
As someone who has been using IP for a while now, I would very much
like to be able to use any service at any time.
> Or should ISPs have a "default deny" on all services, and subscribers
> need
> to call for permitssion if they want to use some new service? Should
> new
> services like Voice over IP, or even the World Wide Web be blocked by
> default by service providers?
Obviously not. Blocking services that are known to be bad or vulnerable
wouldn't be entirely unreasonable, though. But who gets to decide which
services should be blocked? Some services are very dangerous and not
very useful, so blocking is a no brainer. Other services are only
slightly risky and very useful. Where do we draw the line? Who draws
the line?
> As a HOST requirement, I think all hosts should be "client-only" by
> default. That includes things when acting as like hosts such as
> routers,
> switches, print servers, file servers, UPSes. If a HOST uses a
> network protocol for local host processes (e.g. X-Windows, BIFF,
> Syslog,
> DCE, RPC) by default it should not accept network connections.
> It should require some action, e.g. the user enabling the service,
> DHCP-client enabling it in a profile, clicking things on the LCD
> display
> on the front ofthe printer, etc.
Get yourself a Mac. :-)
I think it would useful to set aside a block of port numbers for local
use. These would be easy to filter at the edges of networks but plug
and play would still be possible.
> SERVICE PROVIDERS do not enforce host requirements.
But someone has to. The trouble is that access to the network has never
been considered a liability, except for local ports under 1024. (Have a
look at java, for example.) I believe that the only way to solve all
this nonsense is to have a mechanism that is preferably outside the
host, or at least deep enough inside the system to be protected against
application holes and user stupidity, which controls application's
access to the network. This must not only be based on application type
and user rights (user www gets to run a web server that listens on port
80) but also on application version. So when a vulnerability is found
the vulnerable version of the application is automatically blocked.
I don't see something like this popping up over night, though.
More information about the NANOG
mailing list