nanog mailing list archives
Re: commonly blocked ISP ports
From: brett watson <brett () the-watsons org>
Date: Wed, 14 Sep 2005 14:22:11 -0700
On Wednesday 14 September 2005 15:41, Luke Parrish wrote:Not quite looking for tips to manage my network and ACL's or if should or should not be blocking, more looking for actual ports that other ISP's areblocking and why.
seems to me this is the wrong question... a default security "posture" (network or system, isp or enterprise or any type of entity) should be: "if it's not explicitly allowed, it's denied."
don't look for specific ports to block. lock down everything, both *egress* (arguably as important as ingress, and typically completely ignored) and ingress, and start opening only specific ports that are absolutely necessary. yes, it's a lot more work to do this but it's a lot safer.
many worm/trojan infections happen because egress is completely open, and "permit tcp any any established" is the first line in the ingress acl.
-b
Current thread:
- commonly blocked ISP ports Luke Parrish (Sep 14)
- Re: commonly blocked ISP ports Valdis . Kletnieks (Sep 14)
- Re: commonly blocked ISP ports Luke Parrish (Sep 14)
- Re: commonly blocked ISP ports Larry Smith (Sep 14)
- Re: commonly blocked ISP ports brett watson (Sep 14)
- Re: commonly blocked ISP ports Michael Tokarev (Sep 15)
- Re: commonly blocked ISP ports Jim Popovitch (Sep 15)
- Re: commonly blocked ISP ports Luke Parrish (Sep 14)
- Re: commonly blocked ISP ports Valdis . Kletnieks (Sep 14)
- Re: commonly blocked ISP ports Kim Onnel (Sep 15)
- Re: commonly blocked ISP ports Petri Helenius (Sep 15)
- Re: commonly blocked ISP ports John Kristoff (Sep 15)
- <Possible follow-ups>
- Re: commonly blocked ISP ports Scott Weeks (Sep 14)
- Re: commonly blocked ISP ports Fergie (Paul Ferguson) (Sep 14)