[61704] in North American Network Operators' Group
Re: What do you want your ISP to block today?
daemon@ATHENA.MIT.EDU (Vinny Abello)
Wed Sep 3 15:16:31 2003
Date: Wed, 03 Sep 2003 15:05:14 -0400
To: Sean Donelan <sean@donelan.com>,
Johannes Ullrich <jullrich@euclidian.com>
From: Vinny Abello <vinny@tellurian.com>
Cc: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.44.0309031441180.23921-100000@clifden.donelan.c
om>
Errors-To: owner-nanog-outgoing@merit.edu
At 02:51 PM 9/3/2003, Sean Donelan wrote:
>On Wed, 3 Sep 2003, Johannes Ullrich wrote:
> > I just summarized my thoughts on this topic here:
> > http://www.sans.org/rr/special/isp_blocking.php
> >
> > Overall: I think there are some ports (135, 137, 139, 445),
> > a consumer ISP should block as close to the customer as
> > they can.
>
>If ISPs had blocked port 119, Sobig could not have been distributed
>via USENET.
>
>
>Perhaps unbelievably to people on this mailing list, many people
>legitimately use 135, 137, 139 and 445 over the open Internet
>everyday. Which protocols do you think are used more on today's
>Internet? SSH or NETBIOS?
>
>Some businesses have create an entire industry of outsourcing Exchange
>service which need all their customers to be able to use those ports.
>
>http://www.mailstreet.net/MS/urgent.asp
>
>http://dmoz.org/Computers/Software/Groupware/Microsoft_Exchange/
>
>If done properly, those ports are no more or less "dangerous" than
>any other 16-bit port number used for TCP or UDP protocol headers.
>
>
>But we need to be careful not to make the mistake that just because
>we don't use those ports that the protocols aren't useful to other
>people.
Even on Windows they can be used in a much safer fashion (although I would
never attempt it for any of my stuff). It is possible to use IPSec policies
on 2000 and higher to encrypt all traffic on specified ports to specified
hosts/networks and block all other traffic. I bet some people are using
this to join remote locations securely to each other for Windows networking
with these ports and IPSec policies.
Vinny Abello
Network Engineer
Server Management
vinny@tellurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN
There are 10 kinds of people in the world. Those who understand binary and
those that don't.
