Re: BCP for ISP to block worms at PEs and NAS

["Christopher L. Morrow" <christopher.morrow () mci com>]

On Sun, 17 Apr 2005, J.D. Falk wrote:

> On 04/17/05, John Kristoff <jtk () northwestern edu> wrote:
>
> > >  deny   tcp any any range 135 139
> > >  deny   udp any any range 135 netbios-ss
> > >  deny   tcp any any eq 445
> > >  deny   udp any any eq 1026
> >
> > Similar as before, you are going to be removing some legitimate
> > traffic.
>
>       Is this really true?  All of the ports listed above are used by
>       LAN protocols that were never intended to communicate directly
>       across backbone networks -- that's why VPNs were invented.

and people use them all the time across the real Internet :( It's dumb, we
can argue about it's 'correctness' or 'localness' or whatever until we are
blue in the face, but people still do it.

>       Or, is your argument that some system somewhere MIGHT ignore the
>       offical port numbers allocated by IANA and try to pass some
>       other kind of traffic there instead?

Certainly, ssh over tcp/80 is common, other protocols can become agile as
well... people SHOULD use the IANA port numbers, in practice they don't
always abide by them :(

> > Perhaps set the rules to permit and log first, let it run for awhile
> > and then see what you'll be missing.
>
>       Yep, this is always good advice.  But don't give up just because
>       of some naysayers rolling out the usual FUD.  In the real world,
>       security for the many outweighs the extremely unlikely edge cases
>       of the few.

Or... use a system where your users can 'subscribe' to a 'better Internet'
(define 'better Internet' as you like)