[27280] in North American Network Operators' Group
Re: Cisco says attacks are due to operational practices
daemon@ATHENA.MIT.EDU (Jared Mauch)
Thu Feb 10 21:41:54 2000
Date: Thu, 10 Feb 2000 21:22:40 -0500
From: Jared Mauch <jared@puck.Nether.net>
To: Chris Cappuccio <chris@dqc.org>
Cc: "John M. Brown" <jmbrown@ihighway.net>, nanog@merit.edu
Message-ID: <20000210212240.A12542@puck.nether.net>
Mail-Followup-To: Chris Cappuccio <chris@dqc.org>,
"John M. Brown" <jmbrown@ihighway.net>, nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <Pine.BSO.4.21.0002101812130.2897-100000@dqc.org>; from chris@dqc.org on Thu, Feb 10, 2000 at 06:13:56PM -0800
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, Feb 10, 2000 at 06:13:56PM -0800, Chris Cappuccio wrote:
>
> Filtering incoming our outgoing ports for anybody's network but your own (not
> your customer's) is wrong. You know specifically what apps you are running.
> How can you know what your customer is running or what they want to do ?
Filtering my customers to prevent them from sending me
packets with source ip addresses other than those they have
told me about, or I have assigned to them is not wrong.
> If the customer is aware this is happening or even requests this type of
> firewall service, that's great. But to filter ports on backbone routers is
> stupid.
Lets explain it this way:
If I were operating a telephone network, I would only allow
calls from numbers that I assigned, or my customers ask to be routed
to them.
Or even this:
If I operate a cellular network, I can choose what the source
number is on their telephone, and if I want to allow it.
- Jared
