[97414] in North American Network Operators' Group
Re: FBI tells the public to call their ISP for help
daemon@ATHENA.MIT.EDU (Sean Donelan)
Thu Jun 14 10:33:43 2007
Date: Thu, 14 Jun 2007 10:32:16 -0400 (EDT)
From: Sean Donelan <sean@donelan.com>
To: Jack Bates <jbates@brightok.net>
Cc: nanog@nanog.org
In-Reply-To: <46714F7A.3040001@brightok.net>
Errors-To: owner-nanog@merit.edu
On Thu, 14 Jun 2007, Jack Bates wrote:
> May I recommend developing an in house method for allowing the customer only
> access to your servers (web, dns, proxy, etc), and then apply filters for
> everything else except for tcp/80. If you wanted to be additionally paranoid,
> you could even allow only established tcp/80 connections back to the
> customer.
>
> Once updated, customer could establish contact to have filters removed, or an
> automated web process you be created.
>
> It's a ton of work, and there are any number of ways to do it. A lot depends
> on your network. It can be done, though.
I went down that road several times, and there are many issues with what
you have described which won't work for how Microsoft distributes its
updates and patches; and with the user. Microsoft has enabled Windows
with enough features, users can infect their machine with only TCP/80.
Please review the archives for details from several years ago, and at
some point you will end up needing to violate the written Microsoft
licenses.
Its not a technical problem (although engineers seem to like to think
everything is), its a legal issue with Microsoft's lawyer and licenses.
