New TELUS Security policy

Discussion in 'Computer Security' started by jynXed, May 23, 2004.

  1. jynXed

    jynXed Guest

    So TELUS (Canadian ADSL provider) has started to roll out a new security
    policy on their consumer ADSL market. This security policy takes initiative
    and blocks specific incoming ports.
    The ports blocked are:
    TCP 21 (ftp)
    TCP 25 (smtp)
    TCP 80 (www)
    TCP 110 (pop3)
    TCP 6667 (ircd)
    TCP/UDP 135-139 (dcom and netbios)
    TCP/UDP 1433-1434 (ms-sql)

    They are blocking these, telling the customers it's for their safety. Which
    is true, because the Telus customers won't get slammed by the latest Windows
    worm/virus. But I wanted thoughts from the community on this idea.

    I'm sure that Telus isn't the first ISP to implement this, and it falls
    within the service agreement which states that customers shouldn't be
    running these services on a consumer plan anyway. I just wanted thoughts on
    the censorship of this action from the community.

    Personally, I don't like this idea, I don't like the idea of having any
    ports blocked on my personal internet connection, but I can see why this
    would be a good idea for the majority of broadband customers.

    Thoughts?
     
    jynXed, May 23, 2004
    #1
    1. Advertising

  2. jynXed

    [ Doc Jeff ] Guest

    "jynXed" <> wrote in
    news:w89sc.5277$J02.3891@edtnps84:

    > So TELUS (Canadian ADSL provider) has started to roll out a new
    > security policy on their consumer ADSL market. This security policy
    > takes initiative and blocks specific incoming ports.
    > The ports blocked are:
    > TCP 21 (ftp)
    > TCP 25 (smtp)
    > TCP 80 (www)
    > TCP 110 (pop3)
    > TCP 6667 (ircd)
    > TCP/UDP 135-139 (dcom and netbios)
    > TCP/UDP 1433-1434 (ms-sql)


    As long as they're just blocking the incoming, it shouldn't be an issue
    unless you're trying to run a server which many Cable and DSL providers
    frown on if not outright prohibit.

    > I'm sure that Telus isn't the first ISP to implement this, and it
    > falls within the service agreement which states that customers
    > shouldn't be running these services on a consumer plan anyway. I just
    > wanted thoughts on the censorship of this action from the community.


    There are ways around such blocks. My ISP blocks all of those for incoming
    as well as outgoing pop3, smtp, nntp. And yet ... I manage to access those
    services anyway. *cough* tunneling, proxying, COTSE *cough*

    > Personally, I don't like this idea, I don't like the idea of having
    > any ports blocked on my personal internet connection, but I can see
    > why this would be a good idea for the majority of broadband customers.


    I'm on dialup but I agree that it's not right for them to block anything.
    OTOH, I can see how the internet as a whole might applaud them for taking
    steps to prevent the spread of worms

    Doc

    irc2.peacefulhaven.net -or- http://www.peacefulhaven.net
    Home of the Official DocJeff Challenge

    --
    http://www.cotse.net - Use it, you know you want to.
    If you're too scared to go look for yourself, ask me
    about COTSE. I'd be happy to tell you about it.
     
    [ Doc Jeff ], May 23, 2004
    #2
    1. Advertising

  3. jynXed

    Leythos Guest

    In article <w89sc.5277$J02.3891@edtnps84>, jynxed-nospamhaha-
    says...
    > So TELUS (Canadian ADSL provider) has started to roll out a new security
    > policy on their consumer ADSL market. This security policy takes initiative
    > and blocks specific incoming ports.
    > The ports blocked are:
    > TCP 21 (ftp)
    > TCP 25 (smtp)
    > TCP 80 (www)
    > TCP 110 (pop3)
    > TCP 6667 (ircd)
    > TCP/UDP 135-139 (dcom and netbios)
    > TCP/UDP 1433-1434 (ms-sql)
    >
    > They are blocking these, telling the customers it's for their safety. Which
    > is true, because the Telus customers won't get slammed by the latest Windows
    > worm/virus. But I wanted thoughts from the community on this idea.


    I think it's about dang time that an ISP takes a proactive stance
    against ignorant users. Non-Business account holders don't need any of
    those ports opened inbound.

    --
    --

    (Remove 999 to reply to me)
     
    Leythos, May 24, 2004
    #3
  4. jynXed

    Pique@boo Guest

    jynXed wrote:

    > The ports blocked are:
    > TCP 21 (ftp)
    > TCP 25 (smtp)
    > TCP 80 (www)
    > TCP 110 (pop3)
    > TCP 6667 (ircd)
    > TCP/UDP 135-139 (dcom and netbios)
    > TCP/UDP 1433-1434 (ms-sql)
    >
    > Thoughts?


    Telus seem much more interested in enforcing their 'no-services' policy
    than customer security.

    ~pique@boo
     
    Pique@boo, May 24, 2004
    #4
  5. "Pique@boo" <> wrote in news::

    > Telus seem much more interested in enforcing their 'no-services' policy
    > than customer security.


    thats how i see it. ;_0

    --
    Secure Lockdown
    CISSP, MCSE, Security+, Linux+
     
    Secure Lockdown, May 26, 2004
    #5
  6. "Leythos" <> wrote in message
    news:...
    > In article <w89sc.5277$J02.3891@edtnps84>, jynxed-nospamhaha-
    > says...
    > > So TELUS (Canadian ADSL provider) has started to roll out a new security
    > > policy on their consumer ADSL market. This security policy takes

    initiative
    > > and blocks specific incoming ports.
    > > The ports blocked are:
    > > TCP 21 (ftp)
    > > TCP 25 (smtp)
    > > TCP 80 (www)
    > > TCP 110 (pop3)
    > > TCP 6667 (ircd)
    > > TCP/UDP 135-139 (dcom and netbios)
    > > TCP/UDP 1433-1434 (ms-sql)
    > >
    > > They are blocking these, telling the customers it's for their safety.

    Which
    > > is true, because the Telus customers won't get slammed by the latest

    Windows
    > > worm/virus. But I wanted thoughts from the community on this idea.

    >
    > I think it's about dang time that an ISP takes a proactive stance
    > against ignorant users. Non-Business account holders don't need any of
    > those ports opened inbound.


    Hmm. My own ISP (NTL, in the UK) has been doing similar things for a while..
    blocking some of the low-end ports has been "interesting" for some of us
    router users :eek:\ ("stealth" 1024 and 1025 TCP to explore interesting Time
    Wait scenarios. Zyxels don't seem to like this..)

    Funnily enough, the OP's comments sound a lot like a situation with a work
    colleague in Florida - a large number of ports were blocked "for his own
    protection".. and are instantly freed if one converts to a business account.

    Apparently, the ability to pay twice as much per month /instantly/ makes you
    into a security expert.. (cynic? Moi? ;o)

    My personal view is to include a firewall service (at additional cost,
    natch, and that has to be explicitly deleted from an order). The average
    schmoo would love the idea that they are being nannied, while weirdoes like
    us lot could take a bit more responsibility for our actions. "Tracker"
    excepted, natch ;o)

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, May 26, 2004
    #6
  7. jynXed

    Leythos Guest

    In article <f1atc.817$>, abuse@
    [127.0.0.1] says...
    > "Leythos" <> wrote in message
    > news:...
    > > In article <w89sc.5277$J02.3891@edtnps84>, jynxed-nospamhaha-
    > > says...
    > > > So TELUS (Canadian ADSL provider) has started to roll out a new security
    > > > policy on their consumer ADSL market. This security policy takes

    > initiative
    > > > and blocks specific incoming ports.
    > > > The ports blocked are:
    > > > TCP 21 (ftp)
    > > > TCP 25 (smtp)
    > > > TCP 80 (www)
    > > > TCP 110 (pop3)
    > > > TCP 6667 (ircd)
    > > > TCP/UDP 135-139 (dcom and netbios)
    > > > TCP/UDP 1433-1434 (ms-sql)
    > > >
    > > > They are blocking these, telling the customers it's for their safety.

    > Which
    > > > is true, because the Telus customers won't get slammed by the latest

    > Windows
    > > > worm/virus. But I wanted thoughts from the community on this idea.

    > >
    > > I think it's about dang time that an ISP takes a proactive stance
    > > against ignorant users. Non-Business account holders don't need any of
    > > those ports opened inbound.

    >
    > Hmm. My own ISP (NTL, in the UK) has been doing similar things for a while..
    > blocking some of the low-end ports has been "interesting" for some of us
    > router users :eek:\ ("stealth" 1024 and 1025 TCP to explore interesting Time
    > Wait scenarios. Zyxels don't seem to like this..)


    The outbound ports, 1024 and above don't make sense for blocking - only
    the inbound ports need blocked by the ISP. Meaning, for most users,
    there is no reason for the chap down the block to accept packets
    directly from the chap around the corner. Most TAS/AUP don't really
    allow for it anyway.

    > Funnily enough, the OP's comments sound a lot like a situation with a work
    > colleague in Florida - a large number of ports were blocked "for his own
    > protection".. and are instantly freed if one converts to a business account.
    >
    > Apparently, the ability to pay twice as much per month /instantly/ makes you
    > into a security expert.. (cynic? Moi? ;o)


    We have different levels of service here too - if you are a residential
    user you are assumed to be just one of the masses. If you pay for
    upgraded service it's assumed that you have something invested in it
    that is a little beyond the home user group. There are about 5 levels of
    business accounts, some are just higher performance accounts for remote
    VPN into the home office, some are high performance with as many IP as
    you want.... I would say that a business account users is "More Likely"
    to be more secure than a residential user.

    > My personal view is to include a firewall service (at additional cost,
    > natch, and that has to be explicitly deleted from an order). The average
    > schmoo would love the idea that they are being nannied, while weirdoes like
    > us lot could take a bit more responsibility for our actions. "Tracker"
    > excepted, natch ;o)


    If the routers that the ISP provides would be NAT enabled by default,
    and then allow users to request a non-NAT configuration for free, it
    would make the net a lot nicer for all of us.

    I think that ALL ISP's should provide instructions for AV and personal
    firewall software, but that's asking way to much :)


    --
    --

    (Remove 999 to reply to me)
     
    Leythos, May 27, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tyler Cobb
    Replies:
    6
    Views:
    18,752
    Tyler Cobb
    Oct 19, 2005
  2. Majortom

    Telus TalkBroadband

    Majortom, Jul 15, 2004, in forum: VOIP
    Replies:
    1
    Views:
    557
    DevilsPGD
    Jul 16, 2004
  3. Mike
    Replies:
    1
    Views:
    2,354
  4. Replies:
    2
    Views:
    3,158
  5. Tyler Cobb
    Replies:
    1
    Views:
    766
    dawnad
    Oct 9, 2005
Loading...

Share This Page