[32227] in North American Network Operators' Group
Re: Operational impact of filtering SMB/NETBIOS traffic?
daemon@ATHENA.MIT.EDU (William S. Duncanson)
Tue Nov 14 20:34:01 2000
Message-Id: <5.0.0.25.2.20001114184953.00ad9b00@mail.starkreality.com>
Date: Tue, 14 Nov 2000 19:30:04 -0600
To: Paul Thornton <prt@prt.org>, Scott Call <scall@devolution.com>
From: "William S. Duncanson" <caesar@starkreality.com>
Cc: nanog@nanog.org
In-Reply-To: <Pine.BSF.4.21.0011142201290.24047-100000@avalon.whirlygig.
co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
Being on the customer side of things, I filter 137-139 at my borders. If
people need to get in from outside, that's what VPN's are for. I can think
of no person who should legitimately be sending SMB traffic over the
capital I Internet.
On the subject of backbone providers, backbone providers IMHO should never
filter transit, period, end of discussion. They can filter on customer
borders if the customer requests it, and they can (and should) filter their
dialup modem pools (hello, UUNet, PSI, etc.) The only conceivable case in
which a backbone should filter transit is if the traffic in question is
clearly an attack, and filtering is requested by a customer or peer, or if
the amount of attack traffic is noticeably affecting performance.
We need to stop foisting security onto the backbones, and start being
responsible for it ourselves. If someone is foolish enough to allow SMB
traffic over the Internet, then they deserve what's coming to them.
As it has for eternity, it all boils down to educating the customer. Maybe
it's time to start doing it with a clue-by-four.
At 22:06 11/14/2000 +0000, Paul Thornton wrote:
>On Tue, 14 Nov 2000, Scott Call wrote:
>
> > Because this traffic is IP traffic, I wanted to ask others on this list
> > how they treat SMB traffic on their backbones?
>
>One of the things I considered doing was filtering 137-139 in our data
>centres to reduce risk to customers' poorly (usually through knowing no
>better, so no offence intended here) configured NT boxes. It does seem,
>however, that people do want truly unrestricted NetBIOS over IP connectivity
>into their boxes "So we can browse the server from the office" being a
>familiar cry. As a result of this, we didn't go ahead with the intended
>filtering.
>
>Experience has taught me that people (a) do this, and do it a lot
>(certainly in Europe, YMMV elsewhere); and (b) a good number of them are
>happy to have a server with little external filtering/firewalling/protection
>doing it. I find this particularly scary...
>
>--
>Paul
>
>Not speaking for my employer, in case you know who they are...
--
William S. Duncanson caesar@starkreality.com
The driving force behind the NC is the belief that the companies who
brought us things like Unix, relational databases, and Windows can make an
appliance that is inexpensive and easy to use if they choose to do that.
-- Scott Adams
