[97416] in North American Network Operators' Group
Re: FBI tells the public to call their ISP for help
daemon@ATHENA.MIT.EDU (Jack Bates)
Thu Jun 14 10:44:34 2007
Date: Thu, 14 Jun 2007 09:23:54 -0500
From: Jack Bates <jbates@brightok.net>
To: Sean Donelan <sean@donelan.com>
Cc: John Levine <johnl@iecc.com>, nanog@nanog.org
In-Reply-To: <Pine.GSO.4.64.0706140958160.2577@clifden.donelan.com>
Errors-To: owner-nanog@merit.edu
Sean Donelan wrote:
<snip>
> Since many Microsoft patches are only legally available via the
> Internet, and an ISP can not predict which servers Microsoft will use to
> distribute Microsoft patches, ISPs must enable essentially full Internet
> access which includes access for most worms.
>
<snip>
May I recommend developing an in house method for allowing the customer only
access to your servers (web, dns, proxy, etc), and then apply filters for
everything else except for tcp/80. If you wanted to be additionally paranoid,
you could even allow only established tcp/80 connections back to the customer.
Once updated, customer could establish contact to have filters removed, or an
automated web process you be created.
It's a ton of work, and there are any number of ways to do it. A lot depends on
your network. It can be done, though.
Jack
