nanog mailing list archives
RE: Customer-facing ACLs
From: "Frank Bulk - iNAME" <frnkblk () iname com>
Date: Wed, 12 Mar 2008 21:22:41 -0500
Sorry, I should have been more clear. I added them a few months after I came on board. The ports that are blocked are either Window's SMB/RPC ports or the ones that (a long time ago) were used by worms. Correct, no research into traffic or contact with customers. Although some may argue that sharing one's files with their neighbor using Window's File and Print sharing is a valid service, it's generally accepted that that residential subscribers have no legitimate need to be communicating with those ports on the internet and they are 100 times to 1 more likely to carry malicious traffic than not. And as our history has shown, there's been close to zero issues. Yes, perhaps customers just didn't bother to call in to complain or that call wasn't escalated to me, but I think I could communicate a pretty convincing argument if required. Frank -----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of Scott Weeks Sent: Wednesday, March 12, 2008 6:39 PM To: nanog () merit edu Subject: RE: Customer-facing ACLs --- frnkblk () iname com wrote: -------------------- We have a two-dozen line long ACL applied to our CMTS and BRAS blocking Windows and "virus" ports and have never had a complaint or a problem. We do have a more sophisticated residential or large-biz customers ask, but ---------------------------------------- I'd like to ask the same question of you that I just did to Chris. How'd you implement that or has it been there since the network was new? ------ frnkblk () iname com wrote: ------------ From: "Frank Bulk - iNAME" <frnkblk () iname com> Those ACLs were added when I came on board. Again, only one complaint in 3+ years. -------------------------------------------- Do you mean they were already there when you arrived, or do you mean you just put in ACLs after arriving? No research into traffic? No contact to customers? No elaborating to the less technical folks in the company about what was going to happen? etc... We have over 100k DSL folks and most're DHCP. I'd be afraid to do that without research into the traffic via "permit TCP NNN log" type ACLs and other methods. I believe I will take Sean D's sugestion and read MAAWG's docs. Makes me wonder, though, if we took over the Hawaii part of VZ's network and it was completely open, does that mean the rest of their network is similarly open? scott
Current thread:
- Re: Customer-facing ACLs, (continued)
- Re: Customer-facing ACLs JC Dill (Mar 10)
- Re: Customer-facing ACLs Christopher Morrow (Mar 10)
- Re: Customer-facing ACLs Justin Shore (Mar 10)
- Customer-facing ACLs mack (Mar 10)
- Re: Customer-facing ACLs Scott Weeks (Mar 11)
- Re: Customer-facing ACLs Scott Weeks (Mar 11)
- RE: Customer-facing ACLs Scott Weeks (Mar 11)
- RE: Customer-facing ACLs Sean Donelan (Mar 11)
- RE: Customer-facing ACLs Frank Bulk - iNAME (Mar 11)
- RE: Customer-facing ACLs Scott Weeks (Mar 12)
- RE: Customer-facing ACLs Frank Bulk - iNAME (Mar 12)