North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Operational impact of filtering SMB/NETBIOS traffic?

  • From: William S. Duncanson
  • Date: Tue Nov 14 20:35:20 2000


Being on the customer side of things, I filter 137-139 at my borders. If people need to get in from outside, that's what VPN's are for. I can think of no person who should legitimately be sending SMB traffic over the capital I Internet.

On the subject of backbone providers, backbone providers IMHO should never filter transit, period, end of discussion. They can filter on customer borders if the customer requests it, and they can (and should) filter their dialup modem pools (hello, UUNet, PSI, etc.) The only conceivable case in which a backbone should filter transit is if the traffic in question is clearly an attack, and filtering is requested by a customer or peer, or if the amount of attack traffic is noticeably affecting performance.

We need to stop foisting security onto the backbones, and start being responsible for it ourselves. If someone is foolish enough to allow SMB traffic over the Internet, then they deserve what's coming to them.

As it has for eternity, it all boils down to educating the customer. Maybe it's time to start doing it with a clue-by-four.

At 22:06 11/14/2000 +0000, Paul Thornton wrote:

On Tue, 14 Nov 2000, Scott Call wrote:

> Because this traffic is IP traffic, I wanted to ask others on this list
> how they treat SMB traffic on their backbones?

One of the things I considered doing was filtering 137-139 in our data
centres to reduce risk to customers' poorly (usually through knowing no
better, so no offence intended here) configured NT boxes.  It does seem,
however, that people do want truly unrestricted NetBIOS over IP connectivity
into their boxes "So we can browse the server from the office" being a
familiar cry.  As a result of this, we didn't go ahead with the intended
filtering.

Experience has taught me that people (a) do this, and do it a lot
(certainly in Europe, YMMV elsewhere); and (b) a good number of them are
happy to have a server with little external filtering/firewalling/protection
doing it.  I find this particularly scary...

--
Paul

Not speaking for my employer, in case you know who they are...
--
William S. Duncanson                        [email protected]
The driving force behind the NC is the belief that the companies who
brought us things like Unix, relational databases, and Windows can make an
appliance that is inexpensive and easy to use if they choose to do that.
-- Scott Adams