ISP blocked outlook port 135, but I wanna use programs that run off of port 135

DGath

Senior member
Jul 5, 2003
417
0
0
Long story short, becuase of the blaster worms and stuff, my local cable company (my ISP) blocked port 135, but I wanna use outlook with my University's exchange server, which runs off of port 135. How can I get around this? I work in the dorm tech support office, so getting a server on this side of the connection isn't a big deal at all. I understand that there are endless ways I could do this, but is there any relatively simple way to do it? On my linksys router at home, I can change any activity on port 135 to any other port, but what I wanna do is once that information hits a server on the university side, it'll transfer it back to 135 and talk to the exchange server, then send the info back the same way it came.

Hope that made sense, any help would be great!
 

DGath

Senior member
Jul 5, 2003
417
0
0
lol, I would if that was possible. Cable company is only broadband provider in this city and I'm sure as hell not going back to dial-up. I could use a dial-up account just for outlook, but now that I think about it, I don't even think there is a modem in my computer, and it's not worth the $20 a month.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Hack the firewall. Pay for, setup, and use a proxy. Politely ask the ISP to change thier policy (after making sure you are protected from the worms). Demand the ISP change thier policy (before getting hit with one of the worms). Don't use crappy email products. Use the Exchange webmail thingy (unless you are using Exchange 5.5 or lower, if you are just shoot yourself in the foot, it's less painful).
 

Boscoh

Senior member
Jan 23, 2002
501
0
0
The biggest problem you might encounter is that you probably dont have a static IP. You can do port forwarding on your end and on the uni's end, but you probably dont want to forward port 1234 for everyone to port 135 on the exchange server side. Ideally, you'd want to set it up to forward port 1234 traffic coming from only your IP to port 135 on the exchange server. Exchange might even have issues with port forwarding, I dont know, but it definitely would not surprise me.

Perhaps the best way to do it is to VPN into your university, ISP's wont see that you're using port 135 if it's tunneled through a VPN tunnel.

Or else, as mentioned above, change ISP's.

Edited for clarity.
 

nightowl

Golden Member
Oct 12, 2000
1,935
0
0
The univeristy that I go to did the same thing. The way around this where I go to school at is to VPN into the campus network. That is why the VPN is there. Maybe your university has the same option???
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: nightowl
The univeristy that I go to did the same thing. The way around this where I go to school at is to VPN into the campus network. That is why the VPN is there. Maybe your university has the same option???

VPNs the demise of all network security.
 

AFB

Lifer
Jan 10, 2004
10,718
3
0
Originally posted by: spidey07
Originally posted by: nightowl
The univeristy that I go to did the same thing. The way around this where I go to school at is to VPN into the campus network. That is why the VPN is there. Maybe your university has the same option???

VPNs the demise of all network security.

I'm going to use that for my sig :)
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: amdfanboy
Originally posted by: spidey07
Originally posted by: nightowl
The univeristy that I go to did the same thing. The way around this where I go to school at is to VPN into the campus network. That is why the VPN is there. Maybe your university has the same option???

VPNs the demise of all network security.

I'm going to use that for my sig :)

:)

Well they are. And now that we have ssl based VPNs there's nothing we can do to stop it...it bypasses any and all security in place. I've spent the last year doing work and trying to stop more outbreaks of blaster, nimda, etc. I just fear that someday somebody's gonna write one that will wipe out everything.

Just think if blaster actually did harm to information/hard drives/data. Sure you could recover but WOW that would be alot of work.
 

Boscoh

Senior member
Jan 23, 2002
501
0
0
VPN's suck as far as security is concerned.

But given the right tools you can make VPN moderately secure. About as much so as an email system that does not have every attachment blocked.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: spidey07
Originally posted by: amdfanboy
Originally posted by: spidey07
Originally posted by: nightowl
The univeristy that I go to did the same thing. The way around this where I go to school at is to VPN into the campus network. That is why the VPN is there. Maybe your university has the same option???

VPNs the demise of all network security.

I'm going to use that for my sig :)

:)

Well they are. And now that we have ssl based VPNs there's nothing we can do to stop it...it bypasses any and all security in place. I've spent the last year doing work and trying to stop more outbreaks of blaster, nimda, etc. I just fear that someday somebody's gonna write one that will wipe out everything.

Just think if blaster actually did harm to information/hard drives/data. Sure you could recover but WOW that would be alot of work.

Put a firewall and IPS between the vpn endpoint and the network. An inline IDS can sometimes (if you buy the right one) shutdown attacks, and might save you some work ;)
 

Boscoh

Senior member
Jan 23, 2002
501
0
0
...and if the IPS doesnt know about a particular worm that just came out, you're screwed.

That's why in order to completely secure VPN, you simply take it away. :D

In a perfect world, however, you'd have managed personal firewalls and antivirus software on every VPN'd client device with policy enforcement in place, extended authentication with downloadable ACL's that permitted ONLY what that client was allowed to access down to an address/protocol/port level, and behavioral-based host intrusion prevention software. In a perfect world, everything would work as advertised...but thats in a perfect world.

SSL is a completely different ballgame, though. IPS's, xauth w/ downloadable ACL's, and behavioral-based HIPS on your network is about as far as you can go I believe.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: Boscoh
...and if the IPS doesnt know about a particular worm that just came out, you're screwed.

Chances are someone isn't updating the rules properly then. Rules for the IDS systems I have paid attention come out pretty quickly. ;)

But that is definitely a good point.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: n0cmonkey
Originally posted by: Boscoh
...and if the IPS doesnt know about a particular worm that just came out, you're screwed.

Chances are someone isn't updating the rules properly then. Rules for the IDS systems I have paid attention come out pretty quickly. ;)

But that is definitely a good point.

noc,

I'm talking about client based VPNs.

Case in point:
Consultant plugs into internan network (that has some internal protection, IDS, etc)
Consultant makes SSL VPN connection to his home office.
Guy gets worm.
Worm is now on the inside.
Worm now has a "scope of attack" and the only thing you can do is limit the scope of the attack.

I'm actually going to be rolling out 802.1x security this year. No id, no firewall, no updated virus, not company PC, you will not talk on our network.

gregarian I know but that's what we want.
 

ScottMac

Moderator<br>Networking<br>Elite member
Mar 19, 2001
5,471
2
0
We have all outbound VPN access blocked, unless you've specifically gained permission (and have been set up) to use one. The source address and destination addresss are fixed ... any variation and you don't get out (or in). I believe in addition, the VPN machine is also isolated to a "Quarantine" LAN with additional precautions.

For the support folks that need to get to a variety of endpoints (customer systems), the use a completely separate PC on a completely separate LAN. Those machines are patched and scanned-to-the-teeth because many of the problems those guys fix are related to Worm/Virus problems (the VoIP team).

The liabilities associated with "Your support people just infected our network!" necessitate the hassle.

This would also be a good scenario for L3 switching to the desktop with thirty bit masks. At the very least, campartmentalization of the problem segment has minimal effect on the other users. Most worms/virus start scanning within the host's address block. If the system tracks excessive PING traffic and acts on it before the probe phase, most infections can be avoided or rapidly contained.


But, of course, once you come up with a foolproof system, someone will come up with a better fool. It's a never-ending battle.

Just random thoughts. I haven't seen it in action yet ... I think it ought to work though.....


FWIW

Scott
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: spidey07
Originally posted by: n0cmonkey
Originally posted by: Boscoh
...and if the IPS doesnt know about a particular worm that just came out, you're screwed.

Chances are someone isn't updating the rules properly then. Rules for the IDS systems I have paid attention come out pretty quickly. ;)

But that is definitely a good point.

noc,

I'm talking about client based VPNs.

Case in point:
Consultant plugs into internan network (that has some internal protection, IDS, etc)
Consultant makes SSL VPN connection to his home office.
Guy gets worm.
Worm is now on the inside.
Worm now has a "scope of attack" and the only thing you can do is limit the scope of the attack.

I'm actually going to be rolling out 802.1x security this year. No id, no firewall, no updated virus, not company PC, you will not talk on our network.

gregarian I know but that's what we want.

Basically ScottMac's post is what I would recommend. I don't know how viable this is in most locations, but segmenting machines based on risk factor seems to be the way to go.
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
Use OWA. If the University doesn't have OWA running, I would be very surprised.

They could also upgrade to Exchange 2003 and allow RPC over HTTP.
 

DGath

Senior member
Jul 5, 2003
417
0
0
Yeah, there is two webmail options available at my university. One a standard webmail site, the other, Outlook Web Access. It's not that huge of a deal using OWA, but I just always use Outlook at work, and OWA at home, and OWA just doesn't do it for me. I talked to some people, a VPN is in the works, but a few months away, and apparently that will solve my problems.

About talking to my ISP about it. I did months ago and I asked them if they block any ports, "No, we absolutely do not block any ports." So for months I thought it was something wrong with my system or setup. I just gave up after a while. I talked to them again, said same thing, assured them that they did, they put me on hold, "Oh you know what, it actually looks like we do block port 135." They refuse to unblock it, and I don't really blame them. We provide internet access for 4,000 students, and they provide internet access for 40,000 people. When blaster came out, EVERYONE was working overtime for weeks. So like I said, I don't blame them.

About the ideas posted here... didn't make any sense to me. Nothing personal, just my limited knowledge in networking showing. I'm just looking for something simple that might help out. Thanks though.