nanog mailing list archives
Re: ISPs as content-police or method-police
From: John Kristoff <jtk () depaul edu>
Date: Mon, 20 Nov 2000 13:46:58 -0600
Ben Browning wrote:
The point is this: 137-139 are used for NetBIOS and Samba, neither of which are secure (or even supported by their vendors, AFAIK) for use out on the Internet. I think we can all agree that anyone using them in that situation, shouldn't be.
The problem is that 137-139 are just numbers. The fact that a typically insecure application runs over port 137/139 as opposed to say, 25609, makes no difference. If the logic follows, then block port 21, 111 and maybe even port 80. I'm sure we can find over zealous security experts making claims that those services are inherently insecure as well. Someone will come up with a way of doing file sharing over another port number, over another protocol, over a conforming application (e.g. HTTP) and probably using encryption so you can't tell what it is. I think the end-to-end principle should guide us when people approach these problems with generalized network solutions ...with extreme trepidation. I have no problem with organizations that control their own AS and want to block certain, vulnerable ports. I can even see ISPs being somewhat service oriented towards their customer who may be completely security unaware, but to foster this type of activity as a real solution I think is a mistake. It doesn't really make the Internet any more secure. It simply moves the security problem around. If people continue to follow this approach, then soon we end up doing content inspection looking for tunneled protocols, encrypted and who knows what kinds of trickery all over TCP port 80. Yuck. That'll be "The Day the Internet Died". The closer we can get security to the end hosts the better. John
Current thread:
- Re: Operational impact of filtering SMB/NETBIOS traffic?, (continued)
- Re: Operational impact of filtering SMB/NETBIOS traffic? Jim Mercer (Nov 19)
- RE: Operational impact of filtering SMB/NETBIOS traffic? Roeland Meyer (Nov 19)
- Re: Operational impact of filtering SMB/NETBIOS traffic? Shawn McMahon (Nov 19)
- Re: Operational impact of filtering SMB/NETBIOS traffic? Adam Rothschild (Nov 20)
- ISPs as content-police or method-police Ehud Gavron (Nov 20)
- Re: ISPs as content-police or method-police Valdis . Kletnieks (Nov 20)
- RE: ISPs as content-police or method-police Christian Kuhtz (Nov 20)
- Re: ISPs as content-police or method-police Shawn McMahon (Nov 20)
- Re: ISPs as content-police or method-police Ben Browning (Nov 20)
- RE: ISPs as content-police or method-police Christian Kuhtz (Nov 20)
- Re: ISPs as content-police or method-police John Kristoff (Nov 20)
- Re: ISPs as content-police or method-police joshua stein (Nov 20)
- RE: ISPs as content-police or method-police Mark Radabaugh (Nov 20)
- Re: Operational impact of filtering SMB/NETBIOS traffic? Jim Mercer (Nov 19)
- RE: Operational impact of filtering SMB/NETBIOS traffic? Greg A. Woods (Nov 19)
- Re: Operational impact of filtering SMB/NETBIOS traffic? Etaoin Shrdlu (Nov 19)
- Re: Operational impact of filtering SMB/NETBIOS traffic? Shawn McMahon (Nov 19)
- Re: Operational impact of filtering SMB/NETBIOS traffic? Jim Mercer (Nov 19)