nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is it time to block all Microsoft protocols in the core?

From: alex () yuriev com
Date: Mon, 27 Jan 2003 14:16:40 -0500 (EST)


I don't think it's so much of a problem of programs opening listen
sockets as it is a problem of admins not properly controlling their
networks and a certain software company pushing insecure features like
printing over the internet that refuse to work from behind a firewall
and have no direct proxy support.



This is the exact reason why any arguments to management to block NETBIOS
have failed. The reasons it is rejected are always the same:

a) We're not responsible for our users getting infected through their own
ignorance
b) Some of our users refuse to use VPN or lack the knowledge to effectively
use it and want to use NETBIOS services over the Internet


There are two different things that you are grouping together, when in fact
they are separate. As an ISP, you have two networks. The first one of them
is your internal network on which you may have MSSQL server or any other
servers used by your company.  The second network is the network to which
you connect your customers. These two networks have two distinctly different
security policies. I will venture as far as to say that you probably are
filtering what comes in and what comes out of your internal network. On the
other hand, you are proving IP transit to the customers. Filtering randon
ports on the second network baffles me. Why would you do it? Dont you bill
people for the traffic that they receive/get? Obviously, should your
customer be attacked, you want to participate in coordination of the
response, however, it is a job of your customer to decide if they want to
filter some ports from their network or if they want to contract you to do
that for them.


Alex
Previous By Date Next
Previous By Thread Next

Current thread: