What do you want your ISP to block today?

Wed Sep 3 19:05:14 UTC 2003

At 02:51 PM 9/3/2003, Sean Donelan wrote:

>On Wed, 3 Sep 2003, Johannes Ullrich wrote:
> > I just summarized my thoughts on this topic here:
> > http://www.sans.org/rr/special/isp_blocking.php
> >
> > Overall: I think there are some ports (135, 137, 139, 445),
> > a consumer ISP should block as close to the customer as
> > they can.
>
>If ISPs had blocked port 119, Sobig could not have been distributed
>via USENET.
>
>
>Perhaps unbelievably to people on this mailing list, many people
>legitimately use 135, 137, 139 and 445 over the open Internet
>everyday. Which protocols do you think are used more on today's
>Internet?  SSH or NETBIOS?
>
>Some businesses have create an entire industry of outsourcing Exchange
>service which need all their customers to be able to use those ports.
>
>http://www.mailstreet.net/MS/urgent.asp
>
>http://dmoz.org/Computers/Software/Groupware/Microsoft_Exchange/
>
>If done properly, those ports are no more or less "dangerous" than
>any other 16-bit port number used for TCP or UDP protocol headers.
>
>
>But we need to be careful not to make the mistake that just because
>we don't use those ports that the protocols aren't useful to other
>people.

Even on Windows they can be used in a much safer fashion (although I would 
never attempt it for any of my stuff). It is possible to use IPSec policies 
on 2000 and higher to encrypt all traffic on specified ports to specified 
hosts/networks and block all other traffic. I bet some people are using 
this to join remote locations securely to each other for Windows networking 
with these ports and IPSec policies.

Vinny Abello
Network Engineer
Server Management
vinny at tellurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0  E935 5325 FBCB 0100 977A

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN

There are 10 kinds of people in the world. Those who understand binary and 
those that don't.