Home page logo
/

nanog logo nanog mailing list archives

RE: Blocking port 135?
From: "Bob German" <bobgerman () irides com>
Date: Sat, 2 Aug 2003 10:18:27 -0400



None of the exceptions mentioned means you can't filter.  We practice a
policy of informed filtering.  We filter by default, and if the customer
requests unfiltered and understands the risks involved, we add an
exception for their connection.  By default, we filter all of the usual
Windows ports, plus a few other known-sketchy ports and port
combinations.  





-----Original Message-----
From: Jason Slagle [mailto:raistlin () tacorp net] 
Sent: Saturday, August 02, 2003 10:12 AM
To: Bruce Pinsky
Cc: Bob German; nanog () merit edu
Subject: Re: Blocking port 135?


On Fri, 1 Aug 2003, Bruce Pinsky wrote:

And filtering 445 in the outbound direction to prevent attacks from 
the inside out is probably prudent as well.

Unfortunatly I've ran into at least 1 rather big example of a company
using 445 for SSL since they wanted to put more then 1 cert on a
machine.

In this case it was a check clearing house, and a bank couldn't reach
them because their ISP was filtering their T1.

Jason


-- 
Jason Slagle - CCNP - CCDP
/"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
\ /   ASCII Ribbon Campaign  .
 X  - NO HTML/RTF in e-mail  .
/ \ - NO Word docs in e-mail .




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]