New TELUS Security policy

So TELUS (Canadian ADSL provider) has started to roll out a new security
policy on their consumer ADSL market. This security policy takes initiative
and blocks specific incoming ports.
The ports blocked are:
TCP 21 (ftp)
TCP 25 (smtp)
TCP 80 (www)
TCP 110 (pop3)
TCP 6667 (ircd)
TCP/UDP 135-139 (dcom and netbios)
TCP/UDP 1433-1434 (ms-sql)

They are blocking these, telling the customers it's for their safety. Which
is true, because the Telus customers won't get slammed by the latest Windows
worm/virus. But I wanted thoughts from the community on this idea.

I'm sure that Telus isn't the first ISP to implement this, and it falls
within the service agreement which states that customers shouldn't be
running these services on a consumer plan anyway. I just wanted thoughts on
the censorship of this action from the community.

Personally, I don't like this idea, I don't like the idea of having any
ports blocked on my personal internet connection, but I can see why this
would be a good idea for the majority of broadband customers.

Thoughts?

jynXed

"jynXed" <jynxed-nospamhaha-> wrote in
news:w89sc.5277$J02.3891@edtnps84:

> So TELUS (Canadian ADSL provider) has started to roll out a new
> security policy on their consumer ADSL market. This security policy
> takes initiative and blocks specific incoming ports.
> The ports blocked are:
> TCP 21 (ftp)
> TCP 25 (smtp)
> TCP 80 (www)
> TCP 110 (pop3)
> TCP 6667 (ircd)
> TCP/UDP 135-139 (dcom and netbios)
> TCP/UDP 1433-1434 (ms-sql)

As long as they're just blocking the incoming, it shouldn't be an issue
unless you're trying to run a server which many Cable and DSL providers
frown on if not outright prohibit.

> I'm sure that Telus isn't the first ISP to implement this, and it
> falls within the service agreement which states that customers
> shouldn't be running these services on a consumer plan anyway. I just
> wanted thoughts on the censorship of this action from the community.

There are ways around such blocks. My ISP blocks all of those for incoming
as well as outgoing pop3, smtp, nntp. And yet ... I manage to access those
services anyway. *cough* tunneling, proxying, COTSE *cough*

> Personally, I don't like this idea, I don't like the idea of having
> any ports blocked on my personal internet connection, but I can see
> why this would be a good idea for the majority of broadband customers.

I'm on dialup but I agree that it's not right for them to block anything.
OTOH, I can see how the internet as a whole might applaud them for taking
steps to prevent the spread of worms

Doc

irc2.peacefulhaven.net -or- http://www.peacefulhaven.net
Home of the Official DocJeff Challenge

--
http://www.cotse.net - Use it, you know you want to.
If you're too scared to go look for yourself, ask me
about COTSE. I'd be happy to tell you about it.

[ Doc Jeff ]

In article <w89sc.5277$J02.3891@edtnps84>, jynxed-nospamhaha-
says...
> So TELUS (Canadian ADSL provider) has started to roll out a new security
> policy on their consumer ADSL market. This security policy takes initiative
> and blocks specific incoming ports.
> The ports blocked are:
> TCP 21 (ftp)
> TCP 25 (smtp)
> TCP 80 (www)
> TCP 110 (pop3)
> TCP 6667 (ircd)
> TCP/UDP 135-139 (dcom and netbios)
> TCP/UDP 1433-1434 (ms-sql)
>
> They are blocking these, telling the customers it's for their safety. Which
> is true, because the Telus customers won't get slammed by the latest Windows
> worm/virus. But I wanted thoughts from the community on this idea.

I think it's about dang time that an ISP takes a proactive stance
against ignorant users. Non-Business account holders don't need any of
those ports opened inbound.

--
--

(Remove 999 to reply to me)

Leythos

jynXed wrote:

> The ports blocked are:
> TCP 21 (ftp)
> TCP 25 (smtp)
> TCP 80 (www)
> TCP 110 (pop3)
> TCP 6667 (ircd)
> TCP/UDP 135-139 (dcom and netbios)
> TCP/UDP 1433-1434 (ms-sql)
>
> Thoughts?

Telus seem much more interested in enforcing their 'no-services' policy
than customer security.

~pique@boo

Pique@boo

"Pique@boo" <> wrote in news::

> Telus seem much more interested in enforcing their 'no-services' policy
> than customer security.

thats how i see it. ;_0

--
Secure Lockdown
CISSP, MCSE, Security+, Linux+

Secure Lockdown

"Leythos" <> wrote in message
news:...
> In article <w89sc.5277$J02.3891@edtnps84>, jynxed-nospamhaha-
> says...
> > So TELUS (Canadian ADSL provider) has started to roll out a new security
> > policy on their consumer ADSL market. This security policy takes
initiative
> > and blocks specific incoming ports.
> > The ports blocked are:
> > TCP 21 (ftp)
> > TCP 25 (smtp)
> > TCP 80 (www)
> > TCP 110 (pop3)
> > TCP 6667 (ircd)
> > TCP/UDP 135-139 (dcom and netbios)
> > TCP/UDP 1433-1434 (ms-sql)
> >
> > They are blocking these, telling the customers it's for their safety.
Which
> > is true, because the Telus customers won't get slammed by the latest
Windows
> > worm/virus. But I wanted thoughts from the community on this idea.
>
> I think it's about dang time that an ISP takes a proactive stance
> against ignorant users. Non-Business account holders don't need any of
> those ports opened inbound.

Hmm. My own ISP (NTL, in the UK) has been doing similar things for a while..
blocking some of the low-end ports has been "interesting" for some of us
router users \ ("stealth" 1024 and 1025 TCP to explore interesting Time
Wait scenarios. Zyxels don't seem to like this..)

Funnily enough, the OP's comments sound a lot like a situation with a work
colleague in Florida - a large number of ports were blocked "for his own
protection".. and are instantly freed if one converts to a business account.

Apparently, the ability to pay twice as much per month /instantly/ makes you
into a security expert.. (cynic? Moi? ;o)

My personal view is to include a firewall service (at additional cost,
natch, and that has to be explicitly deleted from an order). The average
schmoo would love the idea that they are being nannied, while weirdoes like
us lot could take a bit more responsibility for our actions. "Tracker"
excepted, natch ;o)

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

Hairy One Kenobi

In article <f1atc.817$>, abuse@
[127.0.0.1] says...
> "Leythos" <> wrote in message
> news:...
> > In article <w89sc.5277$J02.3891@edtnps84>, jynxed-nospamhaha-
> > says...
> > > So TELUS (Canadian ADSL provider) has started to roll out a new security
> > > policy on their consumer ADSL market. This security policy takes
> initiative
> > > and blocks specific incoming ports.
> > > The ports blocked are:
> > > TCP 21 (ftp)
> > > TCP 25 (smtp)
> > > TCP 80 (www)
> > > TCP 110 (pop3)
> > > TCP 6667 (ircd)
> > > TCP/UDP 135-139 (dcom and netbios)
> > > TCP/UDP 1433-1434 (ms-sql)
> > >
> > > They are blocking these, telling the customers it's for their safety.
> Which
> > > is true, because the Telus customers won't get slammed by the latest
> Windows
> > > worm/virus. But I wanted thoughts from the community on this idea.
> >
> > I think it's about dang time that an ISP takes a proactive stance
> > against ignorant users. Non-Business account holders don't need any of
> > those ports opened inbound.
>
> Hmm. My own ISP (NTL, in the UK) has been doing similar things for a while..
> blocking some of the low-end ports has been "interesting" for some of us
> router users \ ("stealth" 1024 and 1025 TCP to explore interesting Time
> Wait scenarios. Zyxels don't seem to like this..)

The outbound ports, 1024 and above don't make sense for blocking - only
the inbound ports need blocked by the ISP. Meaning, for most users,
there is no reason for the chap down the block to accept packets
directly from the chap around the corner. Most TAS/AUP don't really
allow for it anyway.

> Funnily enough, the OP's comments sound a lot like a situation with a work
> colleague in Florida - a large number of ports were blocked "for his own
> protection".. and are instantly freed if one converts to a business account.
>
> Apparently, the ability to pay twice as much per month /instantly/ makes you
> into a security expert.. (cynic? Moi? ;o)

We have different levels of service here too - if you are a residential
user you are assumed to be just one of the masses. If you pay for
upgraded service it's assumed that you have something invested in it
that is a little beyond the home user group. There are about 5 levels of
business accounts, some are just higher performance accounts for remote
VPN into the home office, some are high performance with as many IP as
you want.... I would say that a business account users is "More Likely"
to be more secure than a residential user.

> My personal view is to include a firewall service (at additional cost,
> natch, and that has to be explicitly deleted from an order). The average
> schmoo would love the idea that they are being nannied, while weirdoes like
> us lot could take a bit more responsibility for our actions. "Tracker"
> excepted, natch ;o)

If the routers that the ISP provides would be NAT enabled by default,
and then allow users to request a non-NAT configuration for free, it
would make the net a lot nicer for all of us.

I think that ALL ISP's should provide instructions for AV and personal
firewall software, but that's asking way to much


--
--

(Remove 999 to reply to me)

Leythos