[32349] in North American Network Operators' Group
Re: Operational impact of filtering SMB/NETBIOS traffic?
daemon@ATHENA.MIT.EDU (Shawn McMahon)
Sun Nov 19 18:49:02 2000
Date: Sun, 19 Nov 2000 18:45:39 -0500
From: Shawn McMahon <smcmahon@eiv.com>
To: nanog@merit.edu
Message-ID: <20001119184539.A5200@eiv.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="6TrnltStXW4iwmi0"
Content-Disposition: inline
In-Reply-To: <47FE39302BF73B4C93BC84B87341282C1F04@condor.lvrmr.mhsc.com>; from rmeyer@mhsc.com on Sun, Nov 19, 2000 at 10:31:06AM -0800
Errors-To: owner-nanog-outgoing@merit.edu
--6TrnltStXW4iwmi0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Nov 19, 2000 at 10:31:06AM -0800, Roeland Meyer wrote:
>=20
> > 1) Be behind a firewall that blocks ssh.
>=20
> Sometimes ... been there ... too often.
>=20
> > 2) Be behind a firewall that DOESN'T block SMB.
>=20
> Usually the case.
>=20
> > 3) Not be in a position to have that policy changed.
>=20
> Almost always the case with a client.
>=20
> > 4) Not be violating his corporation's policies when he=20
> > connects through you.
>=20
> Covered by NDA ... no problem. Besides, corporate policy enforcement is n=
ot
> part of the transit provider contract.
Roeland, I doubt that you can name me a single case where all of the follow=
ing
are true:
The firewall blocks outbound ssh.
The firewall allows inbound SMB.
The customer cannot get that policy changed.
The customer is not violating his company's policies by connecting his PC
to the company network through the internet.
All four of those have to be true for your example to be meaningful. No sa=
ne
network administrator blocks ssh but allows SMB. That's like locking your
2nd-floor windows but leaving your 1rst-floor doors wide open.
I agree with you that most firewalls block ssh; I do not agree that most fi=
rewalls
don't block SMB, as you've stated. I in fact think that the number of fire=
walls
that don't block SMB but do block ssh is so small as to be statistically
insignificant.
Please name me a single Fortune-1000 company that blocks outbound ssh but n=
ot
inbound SMB.
Short of setting your firewall up this way for the express purpose of
providing an example, I doubt you can even name a business listed on any st=
ock
exchange anywhere that does this; and if you can, I bet their admin will fix
the problem after you do.
--6TrnltStXW4iwmi0
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6GGYjEcl9bQ0RMt0RAsMFAJ4/bJqp8Beill+ZW4utTkiJUSfG+ACgj5q6
5FYbMz88m/xFAsTcwm/IeJo=
=paGd
-----END PGP SIGNATURE-----
--6TrnltStXW4iwmi0--
