Zen Internet shocker

Discussion in 'UK Motorcycles' started by Hog, Dec 13, 2007.

  1. Hog

    Hog Guest

    I'm gutted. My Idol has feet of clay.

    I commissioned a new adsl connection from them, first of several to be
    migrated. I checked and double checked that they implemented no port
    blocking or traffic management.

    Today, day one, I had a problem. THE problem. Accessing our Atlanta based
    Exchange Server using Cached Exchange Mode. Checked again with customer and
    business level support. "No we don't block any ports".

    Spoke to them again an hour ago.

    Me "currently I cannot telnet through port 135, 25 is ok"
    Zen "we don't port block anything"
    Me "ok try it yourself, here is my server IP............"
    Zen "long pause"
    Zen "hold music"
    Zen "uhhhhhh it seems like we might block 135. you see there was this virus
    outbreak......"
    Me "<unrepeatable>"
    Me "so for this account and this fixed IP range please open 135 and anything
    else you might have inadvertently blocked"
    Zen "uhhhhh it seems we can't do that, or wont"
    Zen "is there anything else we can do for you today"
    Me "YESSSS get me a fucking MAC code you worthless amateur cunts and stop
    calling yourself a business broadband provider"

    I need those Samurai swords. Badly.

    *So can anyone recommend a *business* broadband provider that would rather
    commit hari kiri than block port 135, 25 relay or any other fucking thing
    ever invented?*

    Don't say Bytel or you might be the second Turkey I kill for Christmas.
     
    Hog, Dec 13, 2007
    #1
    1. Advertisements

  2. Hog

    Des Guest

    Fascinating bike-related post, there.

    D.
    --
    des
    French Biking Vocabulary: http://minilien.fr/a0kg0p

    'Kaiser: "Can you prove to me the existence of G-d?"
    Bismarck: "The Jews, your Majesty. The Jews"'
     
    Des, Dec 13, 2007
    #2
    1. Advertisements

  3. Hog

    Greybeard Guest

    Beaming
    http://www.beaming.biz/

    Speak to Steve Ross He is a mine of very useful information.

    --
    Greybeard

    FLHR -03 UK (95 cu-in Stg 2. Big Boy2!)
    Trumpet Trophy 1200-03
    Garmin Zumo 550, To get me home!

    [email protected][dot]co[dot]uk
     
    Greybeard, Dec 13, 2007
    #3
  4. Hog

    Chris Dugan Guest

    I wouldn't change ISP but why use a raw connection from server to server?
    You could use a router to router vpn and pass the traffic through that and
    then it won't be an issue.
    The other route open to you (if it is Exchange 2003 and you are attempting
    to access the server from a roaming client) is to use http access, no not
    web client but RPC over HTTP:

    http://support.microsoft.com/kb/833401

    Of course the third option is to VPN in to the remote site and connect
    through that.
     
    Chris Dugan, Dec 13, 2007
    #4
  5. Hog

    cat Guest

    This made I sad :(
     
    cat, Dec 13, 2007
    #5
  6. Hog

    cat Guest

    Well, that's crap... there wasn't "this virus outbreak" those ports
    135-139 have been blocked for absolute sodding yonks, and the fact isn't
    exactly *hidden*
    http://www.zensupport.co.uk/knowledgebase/article.aspx?id=10192
    I can see your problem and your complaint and I can see the perspective
    that a "business" supplier should give you full access to *everything*
    and quite enough rope to hang yourself, or indeed prove yourself to the
    be the genius you are :p
    I do wonder how much traffic those ports generate and what impact they'd
    have on usage allowances.
    Hmm.
     
    cat, Dec 13, 2007
    #6
  7. Hog

    ginge Guest

    There is a better approch to this, which is also more secure, and that's
    to setup windows to establish an L2TP/ipsec tunnel between the servers,
    then you send the traffic over that. Not only will you be avoiding the
    need to open 135 (and trust me when I say *not* a great idea) but you'll
    also have a nice encrypted link for all that plaintext SMTP.

    Here's some light reading.
    http://technet.microsoft.com/en-us/library/bb742429.aspx
     
    ginge, Dec 13, 2007
    #7
  8. Hog

    Hog Guest

    Well I realise there are traffic reasons to block these ports. The sales
    pitch didn't highlight the fact though, I gave them every opportunity to
    tell me. That pisses me off. What gets me royally hacked though is refusing
    to open them for specific business customers. Shirly their routing equipment
    has the IOS to enable.

    I had searched their knowledge base but none of my strings had produced this
    page, so thanks.

    We own or are responsible for £shedloads of radiotherapy and diagnostic
    cancer care equipment and systems, stupid **** ups like this reflect really
    badly. Shit, if I admitted what this line was for... but no it's not for
    public release.

    A properly managed ISP does not need to block ports or traffic shape. They
    manage the customers, monitor the network and only apply the screws when
    people step out of line. FFS they might strangle P2P and NNTP but even the
    uber assholes Tiscali don't strangle Exchange. That alone tells me that the
    broadcast traffic is negligible.

    I hope to get some sense out of them tomorrow when I have cooled off.
     
    Hog, Dec 14, 2007
    #8
  9. Hog

    Hog Guest

    Thank you Ginge and Chris etc. I do not manage the server at the Yank end.
    He who does can't even manage user rights correctly. Bog standard CEM is
    where it's at.
     
    Hog, Dec 14, 2007
    #9
  10. Hog

    ginge Guest

    Record the risk somewhere anyway... then when your server is
    compromised, and it will be as it's just a matter of time, at least you
    can go back and do the "told you so" thing.

    ....and they wonder how 2 DVD's full of peoples records go missing, when
    even the IT professionals can't do security right.
     
    ginge, Dec 14, 2007
    #10
  11. Hog

    Hog Guest

    It's quite secure enough and has run for years without incident. Really.
     
    Hog, Dec 14, 2007
    #11
  12. Hog

    ginge Guest

    Sorry, but just because you haven't noticed a problem does not mean
    something is secure or deployed the right way. Opening the DCOM port to
    the outside world without encryption really is a half-arsed way of doing
    things.

    Don't take my word for it though, go and have a look how many
    vulnerabilities there are around port 135.. with new ones coming along
    all the time.

    Let's put this into context, you'd think twice about using bath sealant
    to seal the cylinder head on your 911, wouldn't you, even if it works?
    Essentially it's the same kind of bodge you're proposing, but electronic
    rather than mechanical.

    Anyway, you've now got enough info to make sure it could be done the
    right way, and it's not my concern... so, do what the **** you like. :)
     
    ginge, Dec 14, 2007
    #12
  13. Hog

    Hog Guest

    I dropped them into the "Hell mend you" box some time ago. They should be
    using a hosted exchange option.
    They keep over 4 gb of files there too and access them using RD. They won't
    be told.
     
    Hog, Dec 14, 2007
    #13
  14. Quite a bit. It's blocked outbound on any firewall I maintain as
    Windows networks are generally awash with port 135 broadcasts.

    Blame Windows DCOM (it's also the port that the Blaster worm used since
    it's the endpoint of the DCOM/RPC mechanism).

    Phil.
     
    Phil Launchbury, Dec 17, 2007
    #14
  15. Hog

    Hog Guest

    But you can see for a broadband connection, a pc connecting to a single
    server elsewhere, the broadcast traffic is going to be minimal. That's what
    I mean about being able to unmung the connection for appropriate users on
    request. I think I would only need outgoing traffic enabled too.
     
    Hog, Dec 17, 2007
    #15
  16. It's also a big vulnerability. And if the Windows PC gets infected then
    it starts spewing stuff out on port 135 and infecting other stuff on
    port 135. You would be amazed at how many port probes happen from
    within the 'local' (ie within the ISP space) on most 'business' ISPs.

    One of the worst was Easynet back in my last job - I could sit there
    and watch the firewall logs wizzing by. I switched off the event
    logging on most of the Windows ports eventually.
    It's pretty poor that they can't switch it off for people who
    demonstrate a clue. I'm not yet convinced that you come into that
    category yet though. For example - what firewalling do you have in
    place? Is it just perimeter security or are there intrusion detection
    measures inside your network?
    Network security isn't just "stick a firewall in and we're done"..

    Phil.
     
    Phil Launchbury, Dec 17, 2007
    #16
  17. Hog

    Hog Guest

    Well see my other comments about watching your customers activity!
    <ignores>
     
    Hog, Dec 17, 2007
    #17
  18. While it's not their responsibility to protect peoples networks it *is*
    their responsibility to manage their network. And blocking port 135 is
    part of that. If I were them I'd be blocking port 25 too (and all the
    Microsoft Netbios ports) unless specifically requested to open them.

    But I'd make it pretty plain that I was doing it - and what the
    procedure was for getting the ports unlocked. Nildram used to do this
    (all their DSL lines were supplied with port 25 blocked and they would
    only unblock it once they were happy that you were not running an open
    relay) and I was happy for them to do it. At least it meant that I
    didn't get deluged with spam from the local network.
    <Point proven>

    Phil.
     
    Phil Launchbury, Dec 17, 2007
    #18
  19. Hog

    Hog Guest

    You are restating what I have said a B2B ISP should be all about. Choice for
    responsible customers.

    Maybe it's an NI thing but I don't think we had more than one or two
    customer "events" a year.
     
    Hog, Dec 17, 2007
    #19
  20. Hog

    darsy Guest

    we use BT for our MPLS connection - they've been fine. I don't suppose
    that answers your question, though.
     
    darsy, Dec 17, 2007
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.