Spark to add port filtering for NetBIOS and SMB

Forums › Spark New Zealand (including Skinny and BigPipe) › Spark to add port filtering for NetBIOS and SMB

cbrpilot

955 posts

Ultimate Geek

Trusted

Spark NZ

#239630 27-Jul-2018 09:51

Good morning everyone,

Just a quick heads up on a change we're making to our Broadband network to increase customer security. As per industry best practice we're going to start blocking the ports used for SMB and NetBIOS on our Broadband connections. Those protocols are fairly well documented to be insecure and should never be used outside your own LAN - i.e. never on the internet.

The specifics of the ports being blocked are:

Incoming TCP ports 135->139

Incoming TCP port 445

This was implemented for Wireless Broadband Static IP nationwide from day 1. It is now being progressively rolled out across ADSL/VDSL and UFB for Spark Broadband starting with Northland. We expect to complete the rollout within the next month.

If you have another application which uses these ports, we'd recommend that if possible you move it to using a different port.

If that is not possible you can always opt out of the filtering by following the opt out links at spark.co.nz/port25. If you get port 25 (SMTP) unblocked it will also unblock the ports above (the same profile blocks all of these ports).

Dave.

My views are my own, and may not necessarily represent those of my employer.

1 | 2

2159 posts

Uber Geek

#2063442 27-Jul-2018 11:01

@cbrpilot - does this cover Bigpipe was well?

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2063450 27-Jul-2018 11:03

Why would someone expose them self like that.

Beggar belief!

Cyril

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#2063454 27-Jul-2018 11:12

cyril7:

Why would someone expose them self like that.

Beggar belief!

Cyril

This question comes to mind for me too..

I suppose there has been an increase in people doing dumb things as the use of a router infront of the connection starts to drop down..

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2063473 27-Jul-2018 11:34

hio77:

I suppose there has been an increase in people doing dumb things as the use of a router infront of the connection starts to drop down..

Are you suggesting with the rollout of UFB folk are connecting straight to the ONT.

I remember when I was working in the education sector, N4L did a similar clamp down as many "Professional" IT companies that schools employed seemed to do this exact same dumb stunt

Cyril

RunningMan

8955 posts

Uber Geek

#2063475 27-Jul-2018 11:40

cyril7:

Why would someone expose them self like that.

To port forward their CCTV cameras!

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2063477 27-Jul-2018 11:42

But the ports in question 445, 135-139 are windows network services, which is far more alarming than pics from the bike sheds

Cyril

tdgeek

29746 posts

Uber Geek

Trusted

Lifetime subscriber

#2063478 27-Jul-2018 11:44

RunningMan:

cyril7:

Why would someone expose them self like that.

To port forward their CCTV cameras!

Its good checking other peoples driveways for landscaping ideas!

AliExpress

Shop now on AliExpress (affiliate link).

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#2063554 27-Jul-2018 12:22

cyril7:

I remember when I was working in the education sector, N4L did a similar clamp down as many "Professional" IT companies that schools employed seemed to do this exact same dumb stunt

Are you suggesting there are IT Companies out there that don't know what they are doing!

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2063567 27-Jul-2018 12:36

hio77:

Are you suggesting there are IT Companies out there that don't know what they are doing!

Moi............never

cbrpilot

955 posts

Ultimate Geek

Trusted

Spark NZ

#2063612 27-Jul-2018 12:53

timbosan:

@cbrpilot - does this cover Bigpipe was well?

Yes this will cover Bigpipe as well. I'm not as worried about Bigpipe because up until a few weeks ago most of them (and Skinny) were using CGNAT and so this would have been blocked. Those with static IP on Bigpipe we've auto opted out of this.

My views are my own, and may not necessarily represent those of my employer.

Paul1977

5043 posts

Uber Geek

#2064791 30-Jul-2018 09:15

Why have the unblocking tied into port 25 unblocking, which does have a legitimate use?

Wouldn't it be better to have separate opt-out options?

tdgeek

29746 posts

Uber Geek

Trusted

Lifetime subscriber

#2064796 30-Jul-2018 09:21

Paul1977:

Why have the unblocking tied into port 25 unblocking, which does have a legitimate use?

Wouldn't it be better to have separate opt-out options?

Insecure Port 25 is legitimate but how long has security via SSL been in vogue? A year? 2 years? More like 18 years. Yet businesses and big ones use Port 25, you'd have to ask why

BarTender

3606 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2064808 30-Jul-2018 09:41

Paul1977:

Why have the unblocking tied into port 25 unblocking, which does have a legitimate use?

Wouldn't it be better to have separate opt-out options?

Do you want to rebuild the whole end to end provisioning stack to support tweaking "option x y or z". Since then you would need to have a new option on the online portal, and have that new flag flow across the myriad of systems all the way to the network to set the option on. Plus completely regression testing all of those changes across all systems and how they get provisioned on xDSL and UFB via different stacks.

Or just change the network so that not only blocking port 25, and UDP 53 (to prevent DNS amplification attacks on dodgy old routers that for historically stupid reasons listen on port 53 on the WAN side and you can send DNS requests to so you can DDoS people worldwide) you can also block additional stuff like NetBIOS/SMB. Or some reason like that. ;)

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2064813 30-Jul-2018 09:55

So I guess the answer is no :)

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#2064839 30-Jul-2018 10:23

BarTender:

Paul1977:

Why have the unblocking tied into port 25 unblocking, which does have a legitimate use?

Wouldn't it be better to have separate opt-out options?

Do you want to rebuild the whole end to end provisioning stack to support tweaking "option x y or z". Since then you would need to have a new option on the online portal, and have that new flag flow across the myriad of systems all the way to the network to set the option on. Plus completely regression testing all of those changes across all systems and how they get provisioned on xDSL and UFB via different stacks.

pls no, your coming back if that sort of build is required!

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

1 | 2