North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Operational impact of filtering SMB/NETBIOS traffic?

  • From: Travis Pugh
  • Date: Sun Nov 19 10:24:08 2000

On Sun, 19 Nov 2000, Shawn McMahon wrote:

> There are other issues with Microsoft's networking protocols than just
> unintentional shares.  It leaks potentially lethal information like a sieve.
> Letting it willy-nilly through your firewalls is an invitation to have
> compromised hosts on your network.
> It should be filtered by default, and only un-filtered by request; and that
> with the understanding that if it even looks like you might be owned, you get
> cut off until there's an explanation.

This is a sound policy for the administrator of a firewall.  I don't
think it is a policy at all for the administrators of service-provider
networks, since what the SP is providing is access.  I'm not terribly
excited about the idea of edge filtering on the ISP network.  I don't
think it is my job to tell customers what they can and cannot run, in
terms of IP traffic, until it violates an AUP.

If we need better tools to tell us when a customer is the source of a DoS
attack or some other violation of AUP ... some sort of alarm to let the SP
know if a customer has been compromised ... I'd be much happier
implementing that rather than denying traffic because it is a potential
method of attack.

Carried to the extreme (which someone will always do) blocking NBT traffic
doesn't make nearly as much sense as blocking ICMP by default.  It would
be much harder to source a DoS attack from one of my customers if they
couldn't pass ICMP traffic.  However, I think the customers would quickly
decide that securing them wasn't my job and go in search of a less
draconian ISP.