BCP for ISP to block worms at PEs and NAS
Christopher L. Morrow
christopher.morrow at mci.com
Mon Apr 18 02:38:56 UTC 2005
On Sun, 17 Apr 2005, Randy Bush wrote:
> >>> On my Cisco-based SP network with RPMs in MGX chassis acting as
> >>> PEs: I have the ACL below applied on many network devices to
> >>> block the common worms ports,
> >> if you are a service provider, perhaps filtering in the core
> >> will not be appreciated by some customers. of course, as a
> >> provider, you can choose what 'service' you are providing. but,
> >> if you filter ports, it is not clear you are providing internet
> >> service.
> > one approach might be radius installed filters? some contract
> > language to allow 'customers' to request standard templated
> > filters at little/no-extra cost to them. Allow them to make the
> > decision to filter themselves (where 'themselves' may be a dial
> > reseller, of course). Making them responsible means when
> > odd-application-12 comes along to utilize tcp/135 you won't have
> > to poke spot holes through your filters to permit this access.
>
> yep. but note that kim says "ACL below applied on many network
> devices," and went on to mention ras, which i, possibly mistakenly,
> took to mean not just the radius-able edge.
whoops, I read his original note as: "i have a large dial/dsl plant for a
network and I want to offer filtered Internet" So I lept to: "wow, use
radius applied acls for your users, let them choose to have it or not,
make standard templates available."
If there is no need to filter 'all links' just 'customer links' (and
'customer links' == dial/dsl/radius-authed-connection-types) then the
radius filters thing might be a boone to Kim's productivity.
More information about the NANOG
mailing list