ISPs' willingness to take action

• Previous message (by thread): ISPs' willingness to take action
• Next message (by thread): ISPs' willingness to take action
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It's true.  I don't know if it's prevalent, but you'd be amazed at how
many small shops are putting exchange on the public internet using the
spooky windows ports to attach to it.

IMHO the best solution to most of these problems is education.

We implemented an IDS system.  The ROI comes from the inbound attacks
being detected/prevented/shunned.  But it's also listening to the
outbound stuff, so when we see that a customer has the flavor of the
week, we cut him off, give him a call and some friendly advice, and
everyone's happy.  When we see IRC joins and port scans from a customer
server, we give him a call, advise him that he's been rooted, and offer
to assist in his recovery (can you say business opportunity, folks?).

Blocking ports is fine as long as you let people know what you're
blocking and why, offer alternative solutions and offer to unblock if
it's an absolute requirement.  Often, once properly educated about the
risks, a lesser experienced admin will be excited about the opportunity
to do it the more secure way, and will begin preparations, so I've found
the "unblock" is usually temporary.

I believe the answer is for all providers to do this -- monitor outbound
traffic with IDS, consider it a business opportunity to offer managed
services to your customers.  Resell virus software, firewall units, and
most importantly, education.  Your customers will appreciate it, believe
me.

-Bob

>-----Original Message-----
>From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Stewart, William C (Bill), RTSLS
>Sent: Monday, October 27, 2003 1:27 AM
>To: nanog at merit.edu
>Subject: Re: ISPs' willingness to take action
>
>Brian Bruns asserts that there are lots of home users connecting to
their office Exchange servers without VPNs, and that therefore blocking
the Microsoft
>ports was bad. While I agree with his point that you shouldn't do it
without documenting what you are or are not blocking, I'm really
surprised to hear 
>the assertion that people are leaving unfirewalled Exchange servers out
on the net.
>Is this actually common?    /shudders...

• Previous message (by thread): ISPs' willingness to take action
• Next message (by thread): ISPs' willingness to take action
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]