[32359] in North American Network Operators' Group
RE: Operational impact of filtering SMB/NETBIOS traffic?
daemon@ATHENA.MIT.EDU (Mathew Butler)
Mon Nov 20 07:19:21 2000
Message-ID: <F062E72E4BA2D4119F1700B0D03D205F39D1@MAIL>
From: Mathew Butler <mbutler@tonbu.com>
To: 'Shawn McMahon' <smcmahon@eiv.com>, nanog@merit.edu
Date: Mon, 20 Nov 2000 04:12:19 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C052EB.20FA9860"
Errors-To: owner-nanog-outgoing@merit.edu
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C052EB.20FA9860
Content-Type: text/plain;
charset="iso-8859-1"
Ah, but here's the rub: Is there anything, from a business standpoint (read:
contracts), that says that you have the right, much less the obligation, to
make 'security' decisions for the customer? If not, you're opening your
company up to massive lawsuits.
It's a -very- touchy subject -- but I, as a customer, want exclusive right
to make filtering decisions over what goes from my network to the peering
point, where the other backbone providers can choose their own policy. The
reason for this is so that, if necessary, I can run any protocol I have a
need to run over all circuits that I have that are connected to the same
ISP.
If it is shown that my network is relaying spam traffic, or is otherwise
abusing the precepts of "Maintain Control Over What Flows In To And Out Of
Your Network", only -then- would I think that control should be exercised by
the NSP, and only then to the extent necessary to stop the abuse. And a
hefty fine should be imposed on my company in that circumstance.
Or are you thinking that the only clueful people in the network world exist
at the NSPs?
-Mat Butler
-----Original Message-----
From: Shawn McMahon [mailto:smcmahon@eiv.com]
Sent: Sunday, November 19, 2000 4:53 AM
To: nanog@merit.edu
Subject: Re: Operational impact of filtering SMB/NETBIOS traffic?
On Sat, Nov 18, 2000 at 08:19:12PM -0800, Roeland Meyer wrote:
>
> because we want shares. You are considering killing off a whole bunch of
> legitimate use because some are too brain-dead to not have unintentional
> shares on the internet?
There are other issues with Microsoft's networking protocols than just
unintentional shares. It leaks potentially lethal information like a sieve.
Letting it willy-nilly through your firewalls is an invitation to have
compromised hosts on your network.
It should be filtered by default, and only un-filtered by request; and that
with the understanding that if it even looks like you might be owned, you
get
cut off until there's an explanation.
------_=_NextPart_001_01C052EB.20FA9860
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: Operational impact of filtering SMB/NETBIOS traffic?</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>Ah, but here's the rub: Is there anything, from a =
business standpoint (read: contracts), that says that you have the =
right, much less the obligation, to make 'security' decisions for the =
customer? If not, you're opening your company up to massive =
lawsuits.</FONT></P>
<P><FONT SIZE=3D2>It's a -very- touchy subject -- but I, as a customer, =
want exclusive right to make filtering decisions over what goes from my =
network to the peering point, where the other backbone providers can =
choose their own policy. The reason for this is so that, if =
necessary, I can run any protocol I have a need to run over all =
circuits that I have that are connected to the same ISP.</FONT></P>
<P><FONT SIZE=3D2>If it is shown that my network is relaying spam =
traffic, or is otherwise abusing the precepts of "Maintain Control =
Over What Flows In To And Out Of Your Network", only -then- would =
I think that control should be exercised by the NSP, and only then to =
the extent necessary to stop the abuse. And a hefty fine should =
be imposed on my company in that circumstance.</FONT></P>
<P><FONT SIZE=3D2>Or are you thinking that the only clueful people in =
the network world exist at the NSPs?</FONT>
</P>
<P><FONT SIZE=3D2>-Mat Butler</FONT>
</P>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Shawn McMahon [<A =
HREF=3D"mailto:smcmahon@eiv.com">mailto:smcmahon@eiv.com</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Sunday, November 19, 2000 4:53 AM</FONT>
<BR><FONT SIZE=3D2>To: nanog@merit.edu</FONT>
<BR><FONT SIZE=3D2>Subject: Re: Operational impact of filtering =
SMB/NETBIOS traffic?</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>On Sat, Nov 18, 2000 at 08:19:12PM -0800, Roeland =
Meyer wrote:</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> because we want shares. You are considering =
killing off a whole bunch of</FONT>
<BR><FONT SIZE=3D2>> legitimate use because some are too brain-dead =
to not have unintentional</FONT>
<BR><FONT SIZE=3D2>> shares on the internet?</FONT>
</P>
<P><FONT SIZE=3D2>There are other issues with Microsoft's networking =
protocols than just</FONT>
<BR><FONT SIZE=3D2>unintentional shares. It leaks potentially =
lethal information like a sieve.</FONT>
</P>
<P><FONT SIZE=3D2>Letting it willy-nilly through your firewalls is an =
invitation to have</FONT>
<BR><FONT SIZE=3D2>compromised hosts on your network.</FONT>
</P>
<P><FONT SIZE=3D2>It should be filtered by default, and only =
un-filtered by request; and that</FONT>
<BR><FONT SIZE=3D2>with the understanding that if it even looks like =
you might be owned, you get</FONT>
<BR><FONT SIZE=3D2>cut off until there's an explanation.</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C052EB.20FA9860--
