[83451] in North American Network Operators' Group
Re: zotob - blocking tcp/445
daemon@ATHENA.MIT.EDU (Daniel Golding)
Mon Aug 15 22:19:02 2005
Date: Mon, 15 Aug 2005 22:15:22 -0400
From: Daniel Golding <dgolding@burtongroup.com>
To: Randy Bush <randy@psg.com>,
"Steven M. Bellovin" <smb@cs.columbia.edu>
Cc: Saku Ytti <saku+nanog@ytti.fi>, nanog list <nanog@merit.edu>
In-Reply-To: <17152.65331.635732.146362@roam.psg.com>
Errors-To: owner-nanog@merit.edu
On 8/15/05 4:46 PM, "Randy Bush" <randy@psg.com> wrote:
>
>>>> I'm not nearly confident enough to decide on behalf of almost
>>>> billion other people how they should benefit from the Internet
>>>> and how not to.
>>> thanks for that!
>> Indeed. Also see
>> http://www.iab.org/documents/docs/2003-10-18-edge-filters.html
>
> as i just replied to a private message from an enterprise op,
>
> o backbone isps can not set their customers' security policy
> - some customers want to run billyware shares over the wan
> whether we advise it or not
> - some of us host security researchers, who have a taste
> for 445 and other nasty traffic
>
While its not uncommon to run SMB/Windows file system drive mounts across
private WANs, doing so across the Internet, on a non-encrypted tunnel, is
the equivalent of running with scissors.
I am unaware of any enterprise security folks foolish enough to allow that.
Of course, I may be sheltered.
(as an aside - running windows file system mounts across enterprise WANs is
so common that there are WAN optimization devices that improve remote disk
mount performance via protocol spoofing)
- Dan
> o enterprise / site ops can set their users' security policies
> as that's part of their job and charter
>
> randy
>
