North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Blocking port 135?

  • From: Christopher L. Morrow
  • Date: Sat Aug 02 15:23:24 2003

On Sat, 2 Aug 2003, Sean Donelan wrote:

>
> On Sat, 2 Aug 2003, Jack Bates wrote:
> > Many AUP/TOS aggreements have interesting no-server clauses. Blocking
> > 135 inbound to those systems would not breach "Internet access" as the
> > customer shouldn't have a server running on that port. The lack of <1024
> > filtering on such AUP/TOS services is courtesy really. If it's not a
> > problem to the network, the ISP generally doesn't care.
>
> The Slammer worm was > 1024.
>
> As someone else pointed out, if you want the ISP to provide you with a
> completely "safe" network you will end up with something like Minitel.

On a per-customer basis most ISP's will provide managed security services,
Firewall/Authentication-services... Certainly, if the customer is
interested in this service its very doable and managable.

I'm not sure that the overwhelming number of customers are interested in
it though. Security is still a 'only after I get screwed' thought for
most customers. Slammer brought alot of attention onto security from a
customer perspective (which is a good thing) and perhaps this new
possible worm will do the same :) The more people have to think about it
they more they will realize, as another poster posted, 'security is a
lifestyle'.

> ISPs do not control what Microsoft puts in its operating systems, bugs,
> features or other things.  ISPs also did not control the introduction
> of NCSA Mosaic, Real Streaming, IRC Chat or most of the other things.
>

The gov'ts need to realize this fact, there are times that an ISP might be
able to step in and help, those times HAVE TO BE minimalized and for very
short durations. No ISP's network is designed to drop traffic, all of them
are designed to forward on to the end destination as quickly and
faithfully as possible. Depending or requiring ISP's to massivly block
traffic in order to 'save the internet' due to software vendor issues is
not scalable nor operationally feasible. Amazingly enough there are people
that WANT to share files over the internet using standard Microsoft
tools....