topic Re: PlusNet Firewall - Port Blocking Suggestions in Plusnet Feedback

PlusNet Firewall - Port Blocking Suggestions

andyleemeuk — Thu, 11 Apr 2013 09:23:27 GMT

Dear Plus Net Admin Guru's,
Firstly, thank you for providing a set of Server side firewall settings which can be chosen and set up by the user and I have some suggestions to improve the service...
1. Add uPnP to the list of ports blocked in both the "low" and "High" protocol settings. These ports, as you will be aware, are for use inside a network only and should never be open on the public facing side of the network. However, a recent exploit (set out in great detail on the Security Now Podcast - Episode 389 http://twit.tv/show/security-now/389 and by Rapid 7 in their report (NB: Download link) http://bit.ly/upnpflaws) detail that worldwide there are some 81 million routers which open uPnP to the "public" facing side of the internet and therefore allow the network to be attacked remotly by some unscrupulous individuals.
If PlusNet blocked UDP port 1900 and TCP port 2869 in both the "low" and "High" protocol settings this would prevent any attack on a vulnerable Plus Net user without any issues to the users connection... these ports should not be functional on the public facing side in any event!!
Rapid 7's recommendations to ISP's in light of this exploit was:

Quote
Internet Service Providers
ISPs should review any equipment that they are providing to subscribers to verify that UPnP is not exposed on the WAN interface.
If the equipment is affected, one of the following solutions should be considered:
Pushing a configuration update that disables UPnP across the subscriber base

Pushing a software update that removes UPnP capabilities from the device

Replacing customer equipment with a device that can be configured securely

Implementing network-wide ACLs for UDP port 1900 and specific TCP ports

Implementing the network wide block on uPnP seems like a sensible and quick way of protecting Plus Net users from this exploit.
2. Turn on the firewall to low by default for all subscribers and e-mail them all to suggest that High may be a more appropriate setting for them.
Many thanks
Andy

Re: PlusNet Firewall - Port Blocking Suggestions

alanf — Thu, 11 Apr 2013 09:58:57 GMT

I don't think much of our chances getting this suggestion implemented. Four years ago it was discovered that the firewall was turned off each time one changed product. In February 2013 I discovered that this was still the case.
http://community.plus.net/forum/index.php/topic,74679.0.html

Re: PlusNet Firewall - Port Blocking Suggestions

adamwalker — Thu, 11 Apr 2013 11:09:09 GMT

Thanks for the feedback and the suggestion about that.

Re: PlusNet Firewall - Port Blocking Suggestions

MsDizzie — Mon, 13 May 2013 16:10:18 GMT

Well it's still the case. I changed product recently and read through the list of "closed questions" that are generated (8 on total) on Help Assistant - Your Questions
Service Notification
1:49am, Saturday 11 May 2013
The customer\'s firewall settings have been updated to \"Firewall off\"
The generated email should direct the customer to check the "closed questions" to make sure everything is OK.
(The Plusnet internal ticket is/was #74543)

Re: PlusNet Firewall - Port Blocking Suggestions

Anotherone — Tue, 14 May 2013 17:55:44 GMT

Well I've asked for an update on the issue of the Firewall being off on New/Change of Product.

Re: PlusNet Firewall - Port Blocking Suggestions

npr — Tue, 14 May 2013 22:35:47 GMT

What I would like to see is a setting to truly block P2P traffic.
Can't not be done successfully with a simple port filter it needs something much more sophisticated. But Plusnet must have the necessary technology as they can traffic manage P2P traffic.
The reason I suggest this is I see lots of posts (in other forums) asking how to stop someone on the home network from using P2P, hogging the bandwidth, and disrupting everyone else's internet. It's often from someone in student accommodation
I'm sure such a system would be a good marketing point for the ISP.
eg stop one person hogging the bandwidth, downloading questionable material and leaving the owner responsible etc.

Re: PlusNet Firewall - Port Blocking Suggestions

Anonymous — Tue, 14 May 2013 22:45:37 GMT

Isn't that what the "Safe Surf Option" is supposed to do ?

Re: PlusNet Firewall - Port Blocking Suggestions

Anotherone — Tue, 14 May 2013 23:18:27 GMT

It's supposed to, but as has been pointed out before, you can configure your own ports in some P2P software. Whilst Safe Surf might stop the basic stuff and perhaps average youngsters from doing P2P, the clever buggers will soon find ways round it and tell their less clever mates. So, I quite like npr's idea, but I think it ought to be part of a modified Safe Surf rather than the Firewall.
What I would like to see with the Firewall would be a sort of Super High setting which blocks all incoming ports to all protocols but allows the user to configure which ports and protocols to open.

Re: PlusNet Firewall - Port Blocking Suggestions

MsDizzie — Tue, 14 May 2013 23:36:12 GMT

Quote from: Anotherone
Well I've asked for an update on the issue of the Firewall being off on New/Change of Product.

So you have Anotherone and I missed it!. Anyway, I was just trying to highlight that we would like a response from Plusnet to see what's happening on this particular issue that's been outstanding for a few years!!!
I assumed Safe Surf was targeted at families, but I can see that bandwidth hogs etc in a household can cause a few problems too.

Re: PlusNet Firewall - Port Blocking Suggestions

npr — Wed, 15 May 2013 09:00:21 GMT

@purleigh,
Thanks I wasn't aware of PN's safe surf, only been here a few months.
I've now had a look and am sorry to say I find it a tad under whelming. IMO it's too basic to block most P2P software, in fact it will not even block my own usenet connection.
Sorry for the rant, but I feel strongly about security software which promises what it's can't deliver is just another form of malware IMO.

Re: PlusNet Firewall - Port Blocking Suggestions

Anotherone — Wed, 15 May 2013 09:15:42 GMT

That's hardly a Rant, and as I said in reply #7 it is very basic, so if your suggestion was used to Upgrade it, that would be good!

Re: PlusNet Firewall - Port Blocking Suggestions

npr — Wed, 15 May 2013 09:34:15 GMT

Quote from: Anotherone
That's hardly a Rant,

What I left unsaid was
In truth I'm disgusted with PN for promising the following which "safe surf" can not possibly deliver.

Quote
" Set My Safe Surf Option
Turning on Safe Surf gives you added online security by blocking unwanted network traffic. It stops access to Peer-to-Peer software or binary USENET on your account, but still lets you get online to surf, chat, email and play games."

May have been true 20 years ago but not now.

Re: PlusNet Firewall - Port Blocking Suggestions

Anotherone — Wed, 15 May 2013 09:41:01 GMT

But it does go on to say (at the bottom of the page)

Quote
Please note: We can’t guarantee that Safe Surf will block all Peer-to-Peer and USENET traffic. Some Peer-to-Peer applications can be set to use a different port if the common port is blocked.

but that's not really an excuse for not upgrading it, especially these days when attacks are getting more sophisticated!

Re: PlusNet Firewall - Port Blocking Suggestions

Anonymous — Wed, 15 May 2013 10:27:37 GMT

@npr, unfortunately I have never investigated P2P so can't help any further with this discussion, but is it worth you outlining here what you would consider adequate measures and how it might be done, so that we can discuss and compare that with the existing "Safe Surf" feature, and try and encourage Plusnet to improve it in such a way that you and other forum contributors would like to see P2P blocking implemented.

Re: PlusNet Firewall - Port Blocking Suggestions

npr — Wed, 15 May 2013 12:45:12 GMT

Quote from: Anotherone
But it does go on to say (at the bottom of the page)

Yes, for me, that just confirms Plusnet know they are over egging their description of what "safe surf" will do.
@purleigh
Sorry that's getting beyond my experience.
I do know it's beyond a simple port blocking firewall though.