[102898] in North American Network Operators' Group
Customer-facing ACLs
daemon@ATHENA.MIT.EDU (Justin Shore)
Fri Mar 7 14:58:35 2008
Date: Fri, 07 Mar 2008 13:55:05 -0600
From: Justin Shore <justin@justinshore.com>
To: NANOG <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
This question will probably get lost in the Friday afternoon lull but
we'll give it a try anyway.
What kind of customer-facing filtering do you do (ingress and egress)?
This of course is dependent on the type of customer, so lets assume
we're talking about an average residential customer.
Do you block SYNs destined to your customers? Do you rate-limit SYNs
destined for your customers? SYNs on privileged ports?
Do you block any customer-facing egress traffic at all? What about
ingress? SMTP, NetBIOS, MS-SQL, common proxy ports (3128, 6588)?
What ICMP types do you allow or disallow?
I'm assuming everyone uses uRPF at all their edges already so that
eliminates the need for specific ACEs with ingress/egress network
verification checks.
Do you filter anything destined to your network infrastructure on your
customer-facing edges? Does anyone filter traffic destined to the PE
side of a PE-CE link from the outside world?
For those of you with cable networks, what all do you block with the CM?
We're considering blocking NetBIOS and DHCP server traffic (DHCP
server packets are already blocked at the CMTS but this would keep that
junk off our infrastructure).
For SMTP we permit access to our SMTP servers on tcp/25 to all our
broadband users. We also permit our customers with static IPs
(residential and business) to send SMTP without restrictions. After
those permits we explicitly block tcp/25. This has worked fairly well
for us. It sure makes it easy to find infected PCs with spambots. We
don't touch tcp/587.
For ICMP we permit echo, replies, packet-too-big, and time-exceeded.
Everything else gets dropped. Frags are explicitly dropped before any
permits.
We also block common proxy ports to and from the customers (the to
includes ports not always used for proxies). This has been very
effective in catching a number of bots that scanned for open Squid
proxies or script kiddie junk that used WinGate with the default settings.
Is there a BCP for customer-facing ACLs?
Justin
