Home page logo
/

nanog logo nanog mailing list archives

RE: Port blocking last resort in fight against virus
From: "Bob German" <bobgerman () irides com>
Date: Tue, 12 Aug 2003 12:08:38 -0400



IMHO it's a prudent security measure to disallow access to the Windows
ports 135,137-139,445, etc. from the Internet at large.  We block these
ports at the edge, with exceptions for the very few customers who ask
for it (generally customers using Exchange who don't know how to
properly deploy it across the Internet).

So we block, but we make exceptions.  Not that restrictive, and not that
hard.

-Bob


-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of
Mans Nilsson
Sent: Tuesday, August 12, 2003 11:51 AM
To: nanog () merit edu
Cc: Jack Bates
Subject: Re: Port blocking last resort in fight against virus


Subject: Re: Port blocking last resort in fight against virus Date: Tue,
Aug 12, 2003 at 10:36:12AM -0500 Quoting Jack Bates
(jbates () brightok net):

Is it just me that feels that blocking a port which is known to be 
used
to perform billions of scans is only proper? It takes time to contact,

clean, or suspend an account that is infected. Allowing infected
systems 
to continue to scan only causes problems for other networks. I see no 
network performance issues, but that doesn't mean other networks won't

have issues.

I have two faces, let's hear what they say:

"I am a network operator. I do not see issues with my network unless
somebody fills it up beyond capacity. Then I might ask somebody a
question as to why they are shoveling so many more packets than  usual.
If it is a panic, I might null0 someone. I just want to keep  my network
transparent."

"I am a systems administrator. Sometimes, there are security problems
with 
 my operating systems of choice. Then, I fix those hosts that are
affected,  and all is well. The network is not bothering me as long as
it is 
 transparent." 

Your chosen path is a down-turning spiral of kludgey dependencies, where
a host is secure only on some nets, and some nets can't cope with the
load of all administrative filters (some routers tend to take
port-specific filters into slow-path). That way lies madness. 

-- 
Måns Nilsson         Systems Specialist
+46 70 681 7204         KTHNOC
                        MN1334-RIPE

Oh my GOD -- the SUN just fell into YANKEE STADIUM!!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]