[84529] in North American Network Operators' Group
Re: commonly blocked ISP ports
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Wed Sep 14 16:13:00 2005
To: Luke Parrish <lukep@centurytel.net>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Wed, 14 Sep 2005 14:42:56 CDT."
<6.2.0.14.0.20050914144121.033f02f8@mail.so.centurytel.net>
From: Valdis.Kletnieks@vt.edu
Date: Wed, 14 Sep 2005 16:12:17 -0400
Errors-To: owner-nanog@merit.edu
--==_Exmh_1126728735_2882P
Content-Type: text/plain; charset=us-ascii
On Wed, 14 Sep 2005 14:42:56 CDT, Luke Parrish said:
> We have a list, some reactive and some proactive, however we need to remove
> ports that are no longer a threat and add new ones as they are published.
All ports that are open are threats, at least potentially. What you *should*
be doing is:
a) When you block a new port due to a current exploit, log the fact.
b) Work with customers/users to make sure they're patched, and that new machines
are patched before they go live.
c) When probing for the port stops (which it never does), or some sufficient
number of downstream boxes are patched and safe, remove the block.
Either that, or block the world, and open ports on request.
Remember - *you* are the only one on this list who really knows if a given
port is a threat anymore....
(And that's totally skipping all the noise about corporate firewalls versus ISP
firewalls and different expectations regarding security/transparency...)
--==_Exmh_1126728735_2882P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFDKIQfcC3lWbTT17ARAu23AKC+dnAthVhgO7IzBFLZTnv7YJmdXQCeMnHU
wtwyYksAm56LH0iDGz+IlPo=
=Yo5t
-----END PGP SIGNATURE-----
--==_Exmh_1126728735_2882P--
