[45981] in North American Network Operators' Group
Re: Telco's write best practices for packet switching networks
daemon@ATHENA.MIT.EDU (Eric Brandwine)
Wed Mar 6 13:20:39 2002
To: "rob@pickering.org" <>
Cc: "Christopher L. Morrow" <chris@UU.NET>, nanog@merit.edu
From: Eric Brandwine <ericb@UU.NET>
Date: 06 Mar 2002 18:15:29 +0000
In-Reply-To: Rob Pickering's message of "Wed, 06 Mar 2002 17:26:28 -0000"
Message-ID: <gu9d6yhh8am.fsf@rampart.argfrp.us.uu.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Errors-To: owner-nanog-outgoing@merit.edu
>>>>> "rp" == Rob Pickering <rob@pickering.org> writes:
rp> --On 06 March 2002 15:04 +0000 "Christopher L. Morrow" <chris@UU.NET>
rp> wrote:
>> Eric's point was you deploy your fancy-dan mail server with ONLY 22
>> and 25 listening,
rp> Um, that would be "ONLY port 25 listening" on it's public network
rp> facing interface wouldn't it.
rp> Why would you want to expose a management protocol like ssh to the
rp> Internet?
You wouldn't. Neither would I. I'll go poke fun at Chris.
rp> OK so leaving ssh open is convenient, but if we are talking best
rp> practice surely having your remote management protocols running on a
rp> separate network, or at the very least filtering on a host basis so
rp> that it's only listening to connects from your NOC has to be the way
rp> to do this.
Absolutely. It bothers me that as an ISP, we kinda have to run mail
and dns servers. If there were two protocols I'd choose NOT to expose
to the public network, they'd be it. I'd much rather expose ssh than
bind or sendmail.
ericb
--
Eric Brandwine | Apart from hydrogen, the most common thing in the
UUNetwork Security | universe is stupidity.
ericb@uu.net |
+1 703 886 6038 | - Harlan Ellison
Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E
