Zen Internet shocker

I'm gutted. My Idol has feet of clay.

I commissioned a new adsl connection from them, first of several to be
migrated. I checked and double checked that they implemented no port
blocking or traffic management.

Today, day one, I had a problem. THE problem. Accessing our Atlanta based
Exchange Server using Cached Exchange Mode. Checked again with customer and
business level support. "No we don't block any ports".

Spoke to them again an hour ago.

Me "currently I cannot telnet through port 135, 25 is ok"
Zen "we don't port block anything"
Me "ok try it yourself, here is my server IP............"
Zen "long pause"
Zen "hold music"
Zen "uhhhhhh it seems like we might block 135. you see there was this virus
outbreak......"
Me "<unrepeatable>"
Me "so for this account and this fixed IP range please open 135 and anything
else you might have inadvertently blocked"
Zen "uhhhhh it seems we can't do that, or wont"
Zen "is there anything else we can do for you today"
Me "YESSSS get me a fucking MAC code you worthless amateur cunts and stop
calling yourself a business broadband provider"

I need those Samurai swords. Badly.

*So can anyone recommend a *business* broadband provider that would rather
commit hari kiri than block port 135, 25 relay or any other fucking thing
ever invented?*

Don't say Bytel or you might be the second Turkey I kill for Christmas.

 

Fascinating bike-related post, there.

D.
--
des
French Biking Vocabulary: http://minilien.fr/a0kg0p

'Kaiser: "Can you prove to me the existence of G-d?"
Bismarck: "The Jews, your Majesty. The Jews"'

 

Beaming
http://www.beaming.biz/

Speak to Steve Ross He is a mine of very useful information.

--
Greybeard

FLHR -03 UK (95 cu-in Stg 2. Big Boy2!)
Trumpet Trophy 1200-03
Garmin Zumo 550, To get me home!

[email protected][dot]co[dot]uk

 

I wouldn't change ISP but why use a raw connection from server to server?
You could use a router to router vpn and pass the traffic through that and
then it won't be an issue.
The other route open to you (if it is Exchange 2003 and you are attempting
to access the server from a roaming client) is to use http access, no not
web client but RPC over HTTP:

http://support.microsoft.com/kb/833401

Of course the third option is to VPN in to the remote site and connect
through that.

 

This made I sad

 

Well, that's crap... there wasn't "this virus outbreak" those ports
135-139 have been blocked for absolute sodding yonks, and the fact isn't
exactly *hidden*
http://www.zensupport.co.uk/knowledgebase/article.aspx?id=10192
I can see your problem and your complaint and I can see the perspective
that a "business" supplier should give you full access to *everything*
and quite enough rope to hang yourself, or indeed prove yourself to the
be the genius you are
I do wonder how much traffic those ports generate and what impact they'd
have on usage allowances.
Hmm.

 

There is a better approch to this, which is also more secure, and that's
to setup windows to establish an L2TP/ipsec tunnel between the servers,
then you send the traffic over that. Not only will you be avoiding the
need to open 135 (and trust me when I say *not* a great idea) but you'll
also have a nice encrypted link for all that plaintext SMTP.

Here's some light reading.
http://technet.microsoft.com/en-us/library/bb742429.aspx

 

Well I realise there are traffic reasons to block these ports. The sales
pitch didn't highlight the fact though, I gave them every opportunity to
tell me. That pisses me off. What gets me royally hacked though is refusing
to open them for specific business customers. Shirly their routing equipment
has the IOS to enable.

I had searched their knowledge base but none of my strings had produced this
page, so thanks.

We own or are responsible for £shedloads of radiotherapy and diagnostic
cancer care equipment and systems, stupid **** ups like this reflect really
badly. Shit, if I admitted what this line was for... but no it's not for
public release.

A properly managed ISP does not need to block ports or traffic shape. They
manage the customers, monitor the network and only apply the screws when
people step out of line. FFS they might strangle P2P and NNTP but even the
uber assholes Tiscali don't strangle Exchange. That alone tells me that the
broadcast traffic is negligible.

I hope to get some sense out of them tomorrow when I have cooled off.

 

Thank you Ginge and Chris etc. I do not manage the server at the Yank end.
He who does can't even manage user rights correctly. Bog standard CEM is
where it's at.

 

Record the risk somewhere anyway... then when your server is
compromised, and it will be as it's just a matter of time, at least you
can go back and do the "told you so" thing.

....and they wonder how 2 DVD's full of peoples records go missing, when
even the IT professionals can't do security right.

 

It's quite secure enough and has run for years without incident. Really.

 

Sorry, but just because you haven't noticed a problem does not mean
something is secure or deployed the right way. Opening the DCOM port to
the outside world without encryption really is a half-arsed way of doing
things.

Don't take my word for it though, go and have a look how many
vulnerabilities there are around port 135.. with new ones coming along
all the time.

Let's put this into context, you'd think twice about using bath sealant
to seal the cylinder head on your 911, wouldn't you, even if it works?
Essentially it's the same kind of bodge you're proposing, but electronic
rather than mechanical.

Anyway, you've now got enough info to make sure it could be done the
right way, and it's not my concern... so, do what the **** you like.

 

I dropped them into the "Hell mend you" box some time ago. They should be
using a hosted exchange option.
They keep over 4 gb of files there too and access them using RD. They won't
be told.

 

Quite a bit. It's blocked outbound on any firewall I maintain as
Windows networks are generally awash with port 135 broadcasts.

Blame Windows DCOM (it's also the port that the Blaster worm used since
it's the endpoint of the DCOM/RPC mechanism).

Phil.

 

But you can see for a broadband connection, a pc connecting to a single
server elsewhere, the broadcast traffic is going to be minimal. That's what
I mean about being able to unmung the connection for appropriate users on
request. I think I would only need outgoing traffic enabled too.

 

It's also a big vulnerability. And if the Windows PC gets infected then
it starts spewing stuff out on port 135 and infecting other stuff on
port 135. You would be amazed at how many port probes happen from
within the 'local' (ie within the ISP space) on most 'business' ISPs.

One of the worst was Easynet back in my last job - I could sit there
and watch the firewall logs wizzing by. I switched off the event
logging on most of the Windows ports eventually.

It's pretty poor that they can't switch it off for people who
demonstrate a clue. I'm not yet convinced that you come into that
category yet though. For example - what firewalling do you have in
place? Is it just perimeter security or are there intrusion detection
measures inside your network?
Network security isn't just "stick a firewall in and we're done"..

Phil.

 

Well see my other comments about watching your customers activity!

<ignores>

 

While it's not their responsibility to protect peoples networks it *is*
their responsibility to manage their network. And blocking port 135 is
part of that. If I were them I'd be blocking port 25 too (and all the
Microsoft Netbios ports) unless specifically requested to open them.

But I'd make it pretty plain that I was doing it - and what the
procedure was for getting the ports unlocked. Nildram used to do this
(all their DSL lines were supplied with port 25 blocked and they would
only unblock it once they were happy that you were not running an open
relay) and I was happy for them to do it. At least it meant that I
didn't get deluged with spam from the local network.

<Point proven>

Phil.

 

You are restating what I have said a B2B ISP should be all about. Choice for
responsible customers.

Maybe it's an NI thing but I don't think we had more than one or two
customer "events" a year.

 

we use BT for our MPLS connection - they've been fine. I don't suppose
that answers your question, though.