North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ISPs as content-police or method-police

  • From: John Kristoff
  • Date: Mon Nov 20 14:53:03 2000

Ben Browning wrote:
> The point is this: 137-139 are used for NetBIOS and Samba, neither of which
> are secure (or even supported by their vendors, AFAIK) for use out on the
> Internet. I think we can all agree that anyone using them in that
> situation, shouldn't be.

The problem is that 137-139 are just numbers.  The fact that a typically
insecure application runs over port 137/139 as opposed to say, 25609,
makes no difference.  If the logic follows, then block port 21, 111 and
maybe even port 80.  I'm sure we can find over zealous security experts
making claims that those services are inherently insecure as well. 
Someone will come up with a way of doing file sharing over another port
number, over another protocol, over a conforming application (e.g. HTTP)
and probably using encryption so you can't tell what it is.  I think the
end-to-end principle should guide us when people approach these problems
with generalized network solutions ...with extreme trepidation.

I have no problem with organizations that control their own AS and want
to block certain, vulnerable ports.  I can even see ISPs being somewhat
service oriented towards their customer who may be completely security
unaware, but to foster this type of activity as a real solution I think
is a mistake.  It doesn't really make the Internet any more secure.  It
simply moves the security problem around.  If people continue to follow
this approach, then soon we end up doing content inspection looking for
tunneled protocols, encrypted and who knows what kinds of trickery all
over TCP port 80.  Yuck.  That'll be "The Day the Internet Died".  The
closer we can get security to the end hosts the better.