Re: Telco's write best practices for packet switching networks

["Christopher L. Morrow" <chris () UU NET>]

On 6 Mar 2002, Eric Brandwine wrote:

> > > > > > "rp" == Rob Pickering <rob () pickering org> writes:
> rp> Why would you want to expose a management protocol like ssh to the
> rp> Internet?
>
> You wouldn't.  Neither would I.  I'll go poke fun at Chris.

I can think of a few reasons, it's no more/less secure than
sendmail/postfix/bind/snmpdx/...... its just another thing to monitor and
upgrade when there are problems.

In most people's example networks they PROBABLY run all their 'services'
on virtual interfaces anyway so ssh doesn't have to listen on the same ip
as bind so perhaps it's a non-issue.

> rp> OK so leaving ssh open is convenient, but if we are talking best
> rp> practice surely having your remote management protocols running on a
> rp> separate network, or at the very least filtering on a host basis so
> rp> that it's only listening to connects from your NOC has to be the way
> rp> to do this.
>
> Absolutely.  It bothers me that as an ISP, we kinda have to run mail
> and dns servers.  If there were two protocols I'd choose NOT to expose
> to the public network, they'd be it.  I'd much rather expose ssh than
> bind or sendmail.

We can be an ISP or we can not be an ISP, its a business decision... the
'be an ISP' seems to make money while the 'I got big vats of fiber in the
ground wanna use it for telephones?' seems to NOT make money.