Re: Outpost blocks everything
From: Spack (news_at_worldofspack.co.uk)
Date: 08/31/05
- Next message: Volker Birk: "Re: Recommendations for firewall appliance without NAT?"
- Previous message: Volker Birk: "Re: Netscreen XP5 and Remote Desktop connection"
- In reply to:(deleted message) Juergen Nieveler: "Re: Outpost blocks everything"
- Next in thread: Duane Arnold: "Re: Outpost blocks everything"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 31 Aug 2005 09:48:30 +0100
Juergen wrote on 31 Aug 2005 08:12:53 GMT:
> "Spack" <news@worldofspack.co.uk> wrote:
>
>>> If my ISP is taking me through a proxy then won't they be using a
>>> firewall on it?
>>
>> Maybe. But there will be ports open - 8080 or 1080 commonly used for
>> the proxies, 80 for a web server (ISPs often run a proxy on the same
>> server that runs at least one of their websites), 53 for DNS (they
>> also use them as DNS servers), and maybe a few other ports (25 for
>> SMTP or SMTP Relay, 110 for POP3, 22 for SSH, 21 for FTP, etc). All of
>> these ports are open because the server is doing multiple jobs. It
>> might not be ideal, but many ISPs cut corners to save costs.
>
> But many ISPs are smart enough to restrict access to those ports to IP
> addresses belonging to their own network, so that only their own
> customers can use them.
And yet others are not. DNS tends not be restricted because it's used for
resolving ISPs hosts. And proxies are often not locked down so that roaming
users don't have problems when using a different ISP on the move - however,
these normally require authorisation in the form of username + password, but
this will still show the port as open in a "security test" because the
service has to respond so the remote user's PC then knows to send the
authorisation info.
I know of at least one major UK ISP that even has all of it's PIX firewalls
at it's head office allowing everything in and out (so it's basically acting
as a router with no restrictions) because they consider it too much hassle
to have to open ports when they add new services, even to the point of
developers there running test web servers on their own PCs and them being
accessible to the internet. They had a hell of a time clearing up when
someone used one of their FTP servers to host GBs of porn and games and had
changed the passwords on the server, but it didn't change their security
policies - they just rebuilt the server and gave it a different password!
There are plenty of ISPs who are loathe to implement decent security because
of the additional cost involved, both in hardware and in man hours
maintaining it. They seem to think it's cheaper to clean up after there's a
problem - in this day though it only takes one serious breach to bring an
end to a company, or at least seriously cripple it, but many either don't
care or are too blinkered to realise.
Dan
- Next message: Volker Birk: "Re: Recommendations for firewall appliance without NAT?"
- Previous message: Volker Birk: "Re: Netscreen XP5 and Remote Desktop connection"
- In reply to:(deleted message) Juergen Nieveler: "Re: Outpost blocks everything"
- Next in thread: Duane Arnold: "Re: Outpost blocks everything"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
