Verizon DSL traffic blocking explained
As is so often the case with networking problems, the firewall was source of the Verizon DSL problem I wrote about recently.
I had experienced problems making outbound connections at two Verizon DSL business customers and was told by another Verizon DSL customer that they too had a similar problem.
The problem first came up when trying to use NetMeeting from a Verizon DSL customer to remotely control a computer. Despite there being no firewall on the receiving computer NetMeeting still couldn't make a connection. Even a simple ping of the target computer failed.
I suspected Verizon was the source of the problem when, a few days later, from another Verizon DSL customer, Real VNC failed to connect to a computer (another remote control attempt). Again, a ping of the target computer failed, but so too, did pings of websites such as yahoo.com, cnet.com and cbs.com that normally respond to pings (not all websites do).
When Verizon tech support and press relations made it clear that they don't block outgoing traffic, the problem had to be with the configuration of their modem/router.
In a standard consumer grade router, the firewall has a simple task: block all unsolicited incoming traffic. It doesn't try to govern outgoing traffic at all. Thus, any connection to the Internet that starts from a computer on the LAN is allowed. This is similar to the way the Windows XP firewall works, except that the XP firewall is likely to have some pre-defined holes in it.
The firewall in the Verizon Westell 7500 router/modem is a bit more ambitious, it tries to also exert control over outgoing connections that originate from the LAN. In some circumstances this is a good thing, but it caused me problems.
The actions of firewalls are easily quantified. They control a TCP/IP networking concept; a port. Ports are assigned numbers ranging from zero up to roughly 65,000. Some port numbers are reserved for specific types of traffic, others can be used by any networking software for any purpose. For example, you requested this web page using port 80. When you request a secure web page you are using port 443.
To see this for yourself, try to go to www.cnet.com:80 (the colon 80 may not show in your web browser status line when hovering over this link, but it is in the link). Everything works fine, the colon 80 is explicitly stating that port 80 should be used. Normally, the port number is implied when using the HTTP protocol. If you use any port number other than 80, you'll get an error message from your browser rather than the CNET home page.
Each port is either:
-- inbound or outbound
-- used by TCP or UDP or both (low level protocols)
-- open, closed or stealthed (stealth is the best)
That's it. Everything a firewall is doing can be quantified with rules about ports that are allowed and ports that blocked.
The Verizon DSL problems that I experienced stemmed from their using vague words to describe the functioning of the firewall. Nothing about the actions of the firewall in the Westell 7500 is explained in terms of ports. Thus, no one is sure exactly what the firewall is doing (I spoke to tech support twice).
When you configure the firewall in the Westell 7500, you get the choices shown below (full size image).
Take, for example, the "Minimum Security (Low)" setting which "allows all traffic except for known attacks". Is it allowing everything coming in or everything going out or both? And, what is a known attack? Firewalls control ports, not attacks. A given piece of malicious software may use one port number to phone home this week and a new variant can use a different port number next week.
Then it says "your modem is visible by other computers on the Internet". First off, the Westell 7500 is not just a modem, if it were, this posting wouldn't exist. Then, it's not clear if this means that no incoming ports are blocked or if it just means that the 7500 will respond to pings.
The bottom line is that these words have no meaning. Think of it as a gas station with pumps labeled "best", "medium" and "worst" without the octane rating.
In my case, the term "Typical Security (Medium)" tripped me up. That's what one modem was set to when I couldn't do ping or traceroute or Real VNC remote control. Lowering the setting to "Minimum Security (Low)" fixed the immediate problem.
What's the difference, in terms of ports being blocked, between Medium and Low? Even Verizon doesn't know.
In a scenario very reminiscent of WiFi routers shipping with encryption disabled, Verizon normally uses the "low" and "none" firewall settings. "Typical Security (Medium)" is not, according to tech support, typical. They rely on security software on the computers of their customers.
Shields Up!
A great service for testing ports is Shields Up! from Steve Gibson at grc.com. It too, pointed out how vague the firewall security description is.
With the Westell 7500 set to "MaxiumSecurity (High)" Shields Up! reported that the FTP port (21) was closed rather than stealthed. This is not maximum security. The boring, ordinary, years-old, dusty Belkin router that sits between me and the Internet as I write this, is, according to Shields Up!, fully stealthing all the common ports.
During a recent installation of a new Verizon business DSL line, the customer was not given a choice as to the equipment Verizon would provide. Later, tech support said they do offer dumb modems, presumably without firewalls. That may be the better way to go in terms of Defensive Computing as it lets you chose a router with better documentation.
See a summary of all my Defensive Computing postings.
Michael Horowitz is an independent computer consultant and the author of several classes on Defensive Computing. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure. 
The issue is a config issue that is your problem and not Verizons. Could they document it better, of course, but your unprofessional, half-cocked accusation about Verizon blocking outgoing ports is not only embarrassing, but likely actionable. If you worked for a legitimate house of journalism would you likely be out of a job right now.
A few corrections:
"Some port numbers are reserved for specific types of traffic, others can be used by any networking software for any purpose. "
The reservation is not enforced. if CNET wanted to they could bind HTTP to any port they want. I can bind FTP or one of my custom network applications on port 80 if I like.
From a security standpoint you can not make any assumptions about the type of traffic with only the port number. Anyone claiming to be a security expert should know this.
"For example, you requested this web page using port 80. When you request a secure web page you are using port 443"
Wrong, the client doesn't use port 80 request a web page. I am sure you know this but your wording is a little off.
"What's the difference, in terms of ports being blocked, between Medium and Low? Even Verizon doesn't know."
Um, the previous paragraph explained a difference.
"Each port is either:
-- inbound or outbound
-- used by TCP or UDP or both (low level protocols)
-- open, closed or stealthed (stealth is the best)"
A port can run traffic inbound and outbound, it is not an exclusive or
TCP and UDP are not low level protocol. They are below the application layer but above the physical, datalink and network layers. By definition TCP and UDP are not
Stealth is best? Between closed and stealth, stealth is better but if you have even 1 open port it doesn't matter since you can not stealth a open port, which should be obvious to you. Again, if you have 1 open port(and if you run a publicly accessible web service you do), putting the rest of the ports in stealth mode have no value. The point of stealth is to hide the fact that there is a machine bound to that IP address, and it is a trivial task to write a port scanner, much less download an existing one like Nessus. You have an outbound port open, guess what? Anyone can find out that a machine exists at that address.
http://onlinehelp.verizon.net/consumer/bin/pdf/ActiontecMI1424WRUserManual.pdf
check it out......
i had peerguardian updates blocked at medium security but instead of switching to low.. i looked in security logs and unblocked what was blocked.
This is the only way I can run a traceroute:
--In the modem-admin UI, click Advanced in the top-level navbar and answer the "Do you want to proceed" warning with Yes.
--click on Diagnostics, enter the server address in the traceroute field and click Trace.
The page will reload when the trace is complete, and I find in Firefox on my computer (Mac) this blanks out the information you've been waiting for. Works fine in Safari.
Whether the inability to run a traceroute directly from my computer is a flag that I may run into some problems when attempting to collaborate with others over the Web, or to remotely administer a server, etc., remains to be seen. Very strange that a traceroute cannot get outside of my LAN with no firewall option set on the Westell piece o'junk
- by adeptevolution June 24, 2009 2:54 AM PDT
- as a follow-up to the above, I got traceroute working through my Verizon DSL Westell modem by doing this:
- Like this Reply to this comment
-
(7 Comments)log into the DSL modem.
click on Firewall Settings in top-level nav
click on DMZ Host in the sidebar, answer Yes
your public IP address is displayed. Click the Enable button
traceroutes from LAN clients will now work fine.
NOTE: I don't know much about security, there may be implications of enabling your modem as a DMZ host. In our case we use an Apple Airport Express as the bridge between the DSL modem and our LAN, and the Airport handles NAT addressing. Our Macs have their OS firewalls turned on. This is plenty good for our purposes, but enabling DMZ hosting on a Win network without a serious firewall outsize the DMZ might be quite risky (as I understand it, this is jsut lightweight book knowledge!)