nanog mailing list archives
RE: How to secure the Internet in three easy steps
From: "Eric M. Carroll" <eric.carroll () TektonAssociates com>
Date: Sun, 27 Oct 2002 14:35:23 -0500
Sean, At Home's policy was that servers were administratively forbidden. It ran proactive port scans to detect them (which of course were subject to firewall ACLs) and actioned them under a complex and changing rule set. It frequently left enforcement to the local partner depending on contractual arrangements. It did not block ports. Non-transparent proxing was used for http - you could opt out if you knew how. While many DSL providers have taken up filtering port 25, the cable industry practice is mostly to leave ports alone. I know of one large cable company that did the right thing and implemented SMTP authentication for their mail service. The world would be a different place if client to server mail submission was done in an authenticated manner consistently across the Internet. Its amazing how many ISPs don't implement this best practice. Regards, Eric Carroll -----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of Sean Donelan Sent: October 25, 2002 5:36 PM To: Paul Vixie Cc: nanog () merit edu Subject: Re: How to secure the Internet in three easy steps On Fri, 25 Oct 2002, Paul Vixie wrote:
Not only that, but unless _everyone_ implements 2 and/or 3, all the bad people that exploit the things these are meant to protect will migrate to the networks that lack these measures, mitigating the benefits.not just the bad people. all the people. a network with 2 or 3 in place is useless. there is no way to make 2 or 3 happen.
AOL? I believe they proxy almost all their subscribers through several large datacenters, and don't allow users to run their own servers. @Home prohibited customer servers on their network, blocked several ports, and proxied several services. Its common for ISPs outside of the US to force their customers to use the ISP's web proxy server, even hijacking connections which attempt to bypass it. As part of their anti-spam efforts, several providers block SMTP port 25, and force their subscribers to only use that provider's SMTP relay/proxy to send mail. Why not extend those same restrictions to other (all) protocols? Many corporate networks already proxy all their user's traffic, and prohibit direct connections through the corporate firewalls. I think its a bad idea, but techincally I have a hard time saying its technically impossible.
Current thread:
- Re: How to secure the Internet in three easy steps, (continued)
- Re: How to secure the Internet in three easy steps Sean Donelan (Oct 25)
- Re: How to secure the Internet in three easy steps Scott Granados (Oct 25)
- Re: How to secure the Internet in three easy steps batz (Oct 25)
- Re: How to secure the Internet in three easy steps Paul Vixie (Oct 25)
- Re: How to secure the Internet in three easy steps Sean Donelan (Oct 26)
- Odd behavior Joe (Oct 26)
- Re: Odd behavior Allan Liska (Oct 26)
- Re: Odd behavior Joe (Oct 26)
- Re: Odd behavior Scott Granados (Oct 27)
- Re: How to secure the Internet in three easy steps Paul Vixie (Oct 26)
- RE: How to secure the Internet in three easy steps Eric M. Carroll (Oct 27)
- Re: How to secure the Internet in three easy steps Matthew S. Hallacy (Oct 27)
- Re: How to secure the Internet in three easy steps Joseph Barnhart (Oct 27)
- Re: How to secure the Internet in three easy steps William Warren (Oct 27)
- Re: How to secure the Internet in three easy steps Christopher Schulte (Oct 27)
- RE: How to secure the Internet in three easy steps Vivien M. (Oct 27)
- RE: How to secure the Internet in three easy steps alex (Oct 28)
- RE: How to secure the Internet in three easy steps Scott Granados (Oct 28)
- Re: How to secure the Internet in three easy steps Valdis . Kletnieks (Oct 28)
- Re: How to secure the Internet in three easy steps Joe (Oct 27)
- Re: How to secure the Internet in three easy steps dgold (Oct 29)