North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Customer-facing ACLs

  • From: Dave Pooser
  • Date: Fri Mar 07 22:40:46 2008

> Just straight up blocking outbound ports (with the debatable exception of
> port 25) seems heavy handed and too slanted toward admin convenience over
> customer satisfaction. It's a slippery slope because unlike with spam,
> people who are affected by brute force attacks have some degree of
> complicity through either negligance or laziness.

Sure, and I could* make the argument that since I have great spam filtering
inbound I don't have to care about outbound spam from my network because if
you receive it it's because of your negligence/laziness. But I think that in
the case of spam as in the case of brute force attacks it's still the
network operator's obligation to be a good netizen providing doing so places
no undue burden on his own customers or his own staff.

Blocking port 25 outbound for dynamic users until they specifically request
it be unblocked seems to me to meet the "no undue burden" test; so would
port 22 and 23. Beyond that, I'd probably be hesitant until I either started
getting a significant number of abuse reports about a certain flavor of
traffic that I had reason to believe was used by only a tiny minority of my
own users.

*but won't, ever
Dave Pooser, ACSA
Manager of Information Services
Alford Media