|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
From: Adam Hall <Adam.Hall@networktelephone.net> To: 'Brian Bruns' <bruns@2mbit.com>, nanog@nanog.org Date: Sun, 26 Oct 2003 22:11:58 -0600 Errors-To: owner-nanog-outgoing@merit.edu This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C39C40.7746E240 Content-Type: text/plain Brian.. I would agree with you that sometimes, you can't offer "filtered pipe" services to everyone and expect the same general acceptance of the product across the board. However, how much liability should a business take-on when abuse@ accounts are filling up daily because hundreds of customers not keeping up with Windows Update? We put in filters our WAN a few months back when everyone was feeling the wraths of the various Windows exploit of the week. Still today, we make no exceptions to this rule. We've even lost a few customers in the process, I'm sure. My issue is that in most cases (minus a few exceptions, of course) service providers are bombarded with complaints from customers that a) don't know how to change the default Exchange ports away from 135/139 or the security risk in broadcasting 135/139 to the world, b) didn't think they should have to worry about it (even as they were broadcasting from infected servers and machines on their network), or c) have a textbook MCSE, crash-course CCNA network administrator/consultant didn't really have an understanding of what was going on or how they should respond to it. Personally, I'm beginning to feel doubt that the technology industry will be able to maintain the level of competence and respect that we all need and deserve to have. I can't imagine what the health care industry would be like if ignorance was embraced as well as it seems to be in the technology industry. -Adam >Problem is, some applications, like Outlook for example (if I remember correctly), like to >use the 135, 137, 139 and others to connect to the Exchange server. You block them, and >it will start to croak. You have a lot of home users not using a VPN to connect to their > office exchange servers. I used to do this myself at times. >When you sell a service to someone, and neglect to mention you block certain incoming >ports, especially to a possible business user or home user trying to access their office, >you put yourself in a really bad position. >> By the way, can anybody explain to me a legitimate use for port >> 135/137 traffic across the Internet, like it's somebody's private LAN? >> Seems to me anybody who still thinks that's legitimate is living in the past. >> So, the big question: why don't ISPs do more of this? Are they afraid >> of client reaction? Doesn't wash, for me: most clients would be >> highly grateful, and all it really takes for the remainder is fair >> warning. Cost? >> Again, you can judge for yourselves how low the fruit you choose to >> pick; the biggest gains have the best ROI. >> Happy clients, liberated bandwidth, faster servers -- what's to loose? ------_=_NextPart_001_01C39C40.7746E240 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>RE: ISPs' willingness to take action</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Brian.. I would agree with you that sometimes, you = can't offer "filtered pipe" services to everyone and expect = the same general acceptance of the product across the board. = However, how much liability should a business take-on when abuse@ = accounts are filling up daily because hundreds of customers not keeping = up with Windows Update?</FONT></P> <P><FONT SIZE=3D2>We put in filters our WAN a few months back when = everyone was feeling the wraths of the various Windows exploit of the = week. Still today, we make no exceptions to this rule. = We've even lost a few customers in the process, I'm sure. = </FONT></P> <P><FONT SIZE=3D2>My issue is that in most cases (minus a few = exceptions, of course) service providers are bombarded with complaints = from customers that a) don't know how to change the default Exchange = ports away from 135/139 or the security risk in broadcasting 135/139 to = the world, b) didn't think they should have to worry about it (even as = they were broadcasting from infected servers and machines on their = network), or c) have a textbook MCSE, crash-course CCNA network = administrator/consultant didn't really have an understanding of what = was going on or how they should respond to it. Personally, I'm = beginning to feel doubt that the technology industry will be able to = maintain the level of competence and respect that we all need and = deserve to have. I can't imagine what the health care industry = would be like if ignorance was embraced as well as it seems to be in = the technology industry.</FONT></P> <P><FONT SIZE=3D2>-Adam</FONT> </P> <P><FONT SIZE=3D2>>Problem is, some applications, like Outlook for = example (if I remember correctly), like to >use the 135, 137, 139 = and others to connect to the Exchange server. You block them, and = </FONT></P> <P><FONT SIZE=3D2>>it will start to croak. You have a lot of = home users not using a VPN to connect to their</FONT> <BR><FONT SIZE=3D2>> office exchange servers. I used to do this = myself at times.</FONT> </P> <P><FONT SIZE=3D2>>When you sell a service to someone, and neglect = to mention you block certain incoming </FONT> <BR><FONT SIZE=3D2>>ports, especially to a possible business user or = home user trying to access their office, >you put yourself in a = really bad position.</FONT></P> <P><FONT SIZE=3D2>>> By the way, can anybody explain to me a = legitimate use for port </FONT> <BR><FONT SIZE=3D2>>> 135/137 traffic across the Internet, like = it's somebody's private LAN? </FONT> <BR><FONT SIZE=3D2>>> Seems to me anybody who still thinks that's = legitimate is living in the past.</FONT> </P> <P><FONT SIZE=3D2>>> So, the big question: why don't ISPs do more = of this? Are they afraid </FONT> <BR><FONT SIZE=3D2>>> of client reaction? Doesn't wash, for = me: most clients would be </FONT> <BR><FONT SIZE=3D2>>> highly grateful, and all it really takes = for the remainder is fair </FONT> <BR><FONT SIZE=3D2>>> warning. Cost?</FONT> <BR><FONT SIZE=3D2>>> Again, you can judge for yourselves how low = the fruit you choose to </FONT> <BR><FONT SIZE=3D2>>> pick; the biggest gains have the best = ROI.</FONT> </P> <P><FONT SIZE=3D2>>> Happy clients, liberated bandwidth, faster = servers -- what's to loose?</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C39C40.7746E240--
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |