Blocking ports at SPARK before the traffic hits my firewall

Forums › Spark New Zealand (including Skinny and BigPipe) › Blocking ports at SPARK before the traffic hits my firewall

Astrocat

11 posts

Geek
Inactive user

#243605 20-Dec-2018 11:54

Hi,

Like most who look at the firewall logs, it is littered with numerous attempts to connect to the public IP address assigned on port 22 and port 23.

Some people may want legitimate SSH traffic into the firewall, 99% of us do not, and the telnet port is just internet junk traffic from old devices.

Could spark introduce an option to block ports we select before it hits our edge device.

I know this should be possible as filtering of other posts already happens at the ISP level.

Many Thanks

xpd

Geek of Coastguard
14115 posts

Uber Geek
+1 received by user: 4574

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#2148312 20-Dec-2018 12:04

Wont happen - would be too much cost for the firewall system, and maintenance etc for those that do want ports allowed. Easier to leave it to the client to buy decent gear and control it themselves.

XPD / Gavin

LinkTree

Zeon

3926 posts

Uber Geek
+1 received by user: 759

Trusted

#2148328 20-Dec-2018 12:32

This is why you have a firewall :)

Speedtest 2019-10-14

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#2148353 20-Dec-2018 13:14

Vocus already do this on a number of their brands (Slingshot and Orcon being two) and there have then been numerous complaints on here from people about this because they believe it should be opt in, not opt out (opt in would be pointless so there is no logic behind their arguments).

I see it being something more and more RSPs will do due to people who don't understand security leaving devices on their networks with port forwards or even worse insecure devices due to uPNP. All the cameras on insecam.org are just as a classic example.

hio77

'That VDSL Cat'
13036 posts

Uber Geek
+1 received by user: 3896

ID Verified

Trusted

Lizard Networks

Subscriber

#2148357 20-Dec-2018 13:19

sbiddle:

Vocus already do this on a number of their brands (Slingshot and Orcon being two) and there have then been numerous complaints on here from people about this because they believe it should be opt in, not opt out (opt in would be pointless so there is no logic behind their arguments).

I see it being something more and more RSPs will do due to people who don't understand security leaving devices on their networks with port forwards or even worse insecure devices due to uPNP. All the cameras on insecam.org are just as a classic example.

This one made me laugh.

It is possible this could be looked at but as noted there are both positives and negatives.

When you start adding in too many things, all on or all off nolonger becomes an option and people want more detailed control.

Network folk i'm sure will comment further.

Realistically ssh/telnet is rare to not have exposed on purpose..

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

Astrocat

11 posts

Geek
Inactive user

#2148503 20-Dec-2018 18:33

ssh and telnet legitimate access through a firewall is probably 0.01% of the public IP's in NZ, I am not condoning that these ports require pleading with spark to be open as I experienced with port 25 over the years of different policies.

Yes a firewall blocks this at the ingress and egress, however as we all can see by the spam on these ports, many firewalls do not block the egress. Do I want my firewall logs full of this pointless chatter.. no.. and I am sure I speak for many, blocking by choice at the POTS level would be of benefit.

I would have thought that adding value to your internet service and provide something other than a pipe would be of benefit.

hio77

'That VDSL Cat'
13036 posts

Uber Geek
+1 received by user: 3896

ID Verified

Trusted

Lizard Networks

Subscriber

#2148571 20-Dec-2018 21:48

Astrocat:

ssh and telnet legitimate access through a firewall is probably 0.01% of the public IP's in NZ, I am not condoning that these ports require pleading with spark to be open as I experienced with port 25 over the years of different policies.

Just as it always has been, these ports are unblocked on the same base rule. so if you wanted to have ssh open, you would also have port 25 open.

That wouldn't be a light thing to change.

Astrocat:

Yes a firewall blocks this at the ingress and egress, however as we all can see by the spam on these ports, many firewalls do not block the egress. Do I want my firewall logs full of this pointless chatter.. no.. and I am sure I speak for many, blocking by choice at the POTS level would be of benefit.

I would have thought that adding value to your internet service and provide something other than a pipe would be of benefit.

i can understand the value in your eyes, the support effort such a block would create is also a thing to consider though.

It would be far more easier to just tell your router, don't log those ports.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

chevrolux

4962 posts

Uber Geek
+1 received by user: 2638
Inactive user

#2148583 20-Dec-2018 22:13

I just dont get what the actual issue is...

Dont read your firewall logs... they aren't that interesting.

hio77

'That VDSL Cat'
13036 posts

Uber Geek
+1 received by user: 3896

ID Verified

Trusted

Lizard Networks

Subscriber

#2148587 20-Dec-2018 22:22

chevrolux: Dont read your firewall logs... they aren't that interesting.

How else do you know if huawei is spying?

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

cbrpilot

964 posts

Ultimate Geek
+1 received by user: 555

Trusted

Spark NZ

#2148588 20-Dec-2018 22:25

@Astrocat I hear what you are saying. Let's face it, there are may bots, hackers etc which go scanning the internet looking for devices that have these ports open and seeing if they can get in (and what mischief they can get up to if they do get in). It would be great to block that traffic. Unfortunately there is enough legitimate traffic out there that this would likely be problematic to roll out and administer. The fact is that the >99% would get no benefit from such a policy too as the default config in our modems and routers have these ports blocked (on the WAN interface) by default - and most (some crazy high number) of our customers use the routers we supply.

So in my personal opinion there is a very low benefit to rolling out a policy to block this traffic, and a moderate number of customers that would negatively be impacted by this change (i.e. not hundreds of thousands, but we're not talking just a handful here!). And those that were impacted would be highly impacted - they may have many sites they remotely manage etc that would require an opt out.

While I appreciate the suggestion (and if you have others, always keen to hear how we could make the service better!) I hope you can understand why I'm not keen on this one.

Disclaimer: that is just my personal view and I can't claim to speak for all of Spark here.

Dave.

My views are my own, and may not necessarily represent those of my employer.

Hammerer

2480 posts

Uber Geek
+1 received by user: 802

Lifetime subscriber

#2148589 20-Dec-2018 22:28

This is an absurd solutions for the 21st century: a firewall that needs another firewall in front of it because the log reporting can't filter log entries.

Who knows? It's Christmas so the strangest of dreams can come true.

Talkiet

4819 posts

Uber Geek
+1 received by user: 3934

Trusted

#2148679 21-Dec-2018 08:42

cbrpilot:

@Astrocat I hear what you are saying. Let's face it, there are may bots, hackers etc which go scanning the internet looking for devices that have these ports open and seeing if they can get in (and what mischief they can get up to if they do get in). It would be great to block that traffic. Unfortunately there is enough legitimate traffic out there that this would likely be problematic to roll out and administer. The fact is that the >99% would get no benefit from such a policy too as the default config in our modems and routers have these ports blocked (on the WAN interface) by default - and most (some crazy high number) of our customers use the routers we supply.

So in my personal opinion there is a very low benefit to rolling out a policy to block this traffic, and a moderate number of customers that would negatively be impacted by this change (i.e. not hundreds of thousands, but we're not talking just a handful here!). And those that were impacted would be highly impacted - they may have many sites they remotely manage etc that would require an opt out.

While I appreciate the suggestion (and if you have others, always keen to hear how we could make the service better!) I hope you can understand why I'm not keen on this one.

Disclaimer: that is just my personal view and I can't claim to speak for all of Spark here.

Dave.

Ditto to this...

Please note all comments are from my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.