[84533] in North American Network Operators' Group
Re: commonly blocked ISP ports
daemon@ATHENA.MIT.EDU (brett watson)
Wed Sep 14 17:22:39 2005
In-Reply-To: <200509141604.51031.lesmith@ecsis.net>
From: brett watson <brett@the-watsons.org>
Date: Wed, 14 Sep 2005 14:22:11 -0700
To: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
>
> On Wednesday 14 September 2005 15:41, Luke Parrish wrote:
>
>> Not quite looking for tips to manage my network and ACL's or if
>> should or
>> should not be blocking, more looking for actual ports that other
>> ISP's are
>> blocking and why.
seems to me this is the wrong question... a default security
"posture" (network or system, isp or enterprise or any type of
entity) should be: "if it's not explicitly allowed, it's denied."
don't look for specific ports to block. lock down everything, both
*egress* (arguably as important as ingress, and typically completely
ignored) and ingress, and start opening only specific ports that are
absolutely necessary. yes, it's a lot more work to do this but it's
a lot safer.
many worm/trojan infections happen because egress is completely open,
and "permit tcp any any established" is the first line in the ingress
acl.
-b
