[nSLUG] Off Topic: ISP filtering
kyle at kylekelly.com
Sat Mar 13 11:16:54 AST 2004
bdavidso at supercity.ns.ca wrote:
>There was a discussion here recently about Eastlink's policy of blocking
>TCP port 25, ingress and egress, messing up some people's local mail
>servers. I can go back and forth on the benefits and problems of that
>decision, but that isn't exactly what I want to discuss here.
>As you may know, I am the admin for a small local ISP (dialup). I'm also
>a Linux user, and generally have always had the feeling that if I buy
>Internet access, then I want Internet access, dammit. No filtering, NAT,
>or other crap in the way. And that is the way we operate -- when our
>users dial in, they get a live Class C address on the Internet. I have no
>control over our immediate upstream router (it's "managed" by our
>provider), and I haven't poked at it with nmap and such, but I think it is
>pretty much wide open.
>However, the environment out there has become more and more nasty, and is
>causing more and more problems for naive users. I can't police how users
>configure and operate their machines, but I have to help them fix them
>when there is a problem, which eats into my day when I could be doing
>something useful or at least wasting my time in a manner of my choosing.
>When users have problems caused by their own stup^H^H^H^Hinexperience I
>don't mind saying "Bring the machine into the office and I'll fix it at
>our usual service rate", remove BonziBuddy and assorted spyware, remove
>viruses, install Windows updates, install AVG anti-virus, generally tune
>things up, and charge them a fraction of what my time is worth but enough
>that they will be more careful next time.
>However, users are beginning to experience problems that really are not
>their fault. Here is an example, by no means unique:
>One of my co-workers bought a brand new computer for his son. He
>installed WinXP, configured it to dial into our service, connected, and
>clicked on Windows Update. It did the usual, downloaded the latest
>Windows Update software, scanned the machine for available updates, and
>informed hime that he needed about 18-20 critical updates amounting to 30
>or so MB. Realizing how long that would take over 56K dialup, he said
>"Screw it, I'll take it into the office in the morning and use our DSL
>connection to get the updates." So he was online maybe, what... ten
>Of course, our office network is protected by a Linux box running iptables
>(which is also my desktop box, an AMD K6/2-500, and works great). So he
>brought the machine into the office and connected it to our network, but
>when he was trying to install the windows updates some of them didn't
>install. Then he installed Norton Antivirus but it wouldn't start. I had
>a look and quickly determined that the machine was infected with a worm,
>which he must have got while connected to our dial-up network. It took a
>while to figure out what the worm was and figure out how to fix it
>(Symantec said "Download the latest virus definitions and scan" but since
>the scanner wouldn't run that was impossible. Plus regedit wouldn't
>run.). So we wasted a couple of hours eradicating the damn thing from the
>And this isn't the first time. I was recently working on a customer's
>machine that was infected with a worm. I got rid of the worm, then dialed
>up to download windows updates, but before I could download even one
>update the computer was re-infected.
>So... Here's my dilemma. I'm thinking about the benefits of putting our
>dialup clients behind a firewall, not unlike what I use in our office. I
>know some of you are probably saying "What?! Your customers are not
>firewalled already?" Well, see my second para above. Besides, I didn't
>design this network, and I don't blame the guy who did. A few short years
>ago the stuff I mentioned above was unheard of, but now it is common.
>Unprotected machines are being scanned, probed, poked with a stick, and
>generally infected at an alarming rate. Users don't install vendor
>updates, be it for their OS or their virus scanner. Most don't even know
>what spyware is, although a large percentage of problems I fix are related
>to spyware fscking the fragile windows network stack.
>Of course, filtering our network will not eliminate spyware or viruses.
>We already do a good job eliminating email-borne viruses unless the
>clients expose themselves to alternate infection vectors (hotmail etc.,
>p2p stuff, IRC), and we still generally catch the viruses they send.
>(In fact I have one user whose machine is infected with Klez -- I know it,
>and he knows it because I keep telling him, and I know he got my emails
>because they aren't in his mailbox, and I forwarded him dozens of "Virus
>Alert" messages that I get when our mail server intercepts viruse that his
>machine is sending, but he won't answer me or do anything about it. It
>may be time to block all his email access until he calls the office...)
>Sorry this is so long, but I wanted to give you all the background. You
>people tend to be hard-core give-me-internet-or-give-me-death types, and I
>am looking for some feedback. Why should I NOT do this? Why SHOULD I do
>this? If I do it, what should I look for / worry about? What inbound
>ports should I leave open? What outbound ports should I block? Imagine
>my typical client as a penurious little old lady who sends a lot of email
>daily to her family, friends, and church, and gets email daily from the
>above plus some mailing lists and commercial sites, and who surfs a little
>porn, and who has a mild gambling habit, and does online banking, and uses
>those infernal chat programs like MSN, Yahoo, etc., and uploads stuff to
>her website via ftp, and, umm, you get the picture. "General use" Would
>this be a Good Thing (sorry, Martha)? Would this be a Bad Thing? Can it
>be essentialy transparent to the users unless they are running some
>unusual or obscure VPN-type thingy?
>All opinions welcome, though this isn't actually a troll as such.
I'm totally unfamiliar with how a dial up network is setup, but would it
be possible to have a local cache of the windows update files, and so
when windows user connects for the first time they are not on the
Internet, but rather can download the updates from you, and then after
that is complete they have access to the complete Internet. I'm not
sure if this is even possible to setup with Linux servers, I know though
that here at work where we're forced to use MS, they run a isa server or
something like that that contains a local cache of windows updates, much
faster that way.
I've heard of isp's firewalling off there users for the first time they
connect to force them run windows update, and maybe even scan them for
virus's/open ports etc.
Hope that made sense/helps.
More information about the nSLUG