|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Port blocking last resort in fight against virus
IMHO it's a prudent security measure to disallow access to the Windows ports 135,137-139,445, etc. from the Internet at large. We block these ports at the edge, with exceptions for the very few customers who ask for it (generally customers using Exchange who don't know how to properly deploy it across the Internet). So we block, but we make exceptions. Not that restrictive, and not that hard. -Bob -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Mans Nilsson Sent: Tuesday, August 12, 2003 11:51 AM To: [email protected] Cc: Jack Bates Subject: Re: Port blocking last resort in fight against virus Subject: Re: Port blocking last resort in fight against virus Date: Tue, Aug 12, 2003 at 10:36:12AM -0500 Quoting Jack Bates ([email protected]): > > Is it just me that feels that blocking a port which is known to be > used > to perform billions of scans is only proper? It takes time to contact, > clean, or suspend an account that is infected. Allowing infected systems > to continue to scan only causes problems for other networks. I see no > network performance issues, but that doesn't mean other networks won't > have issues. I have two faces, let's hear what they say: "I am a network operator. I do not see issues with my network unless somebody fills it up beyond capacity. Then I might ask somebody a question as to why they are shoveling so many more packets than usual. If it is a panic, I might null0 someone. I just want to keep my network transparent." "I am a systems administrator. Sometimes, there are security problems with my operating systems of choice. Then, I fix those hosts that are affected, and all is well. The network is not bothering me as long as it is transparent." Your chosen path is a down-turning spiral of kludgey dependencies, where a host is secure only on some nets, and some nets can't cope with the load of all administrative filters (some routers tend to take port-specific filters into slow-path). That way lies madness. -- M�ns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE Oh my GOD -- the SUN just fell into YANKEE STADIUM!!
|