commonly blocked ISP ports
brett watson
brett at the-watsons.org
Wed Sep 14 21:22:11 UTC 2005
>
> On Wednesday 14 September 2005 15:41, Luke Parrish wrote:
>
>> Not quite looking for tips to manage my network and ACL's or if
>> should or
>> should not be blocking, more looking for actual ports that other
>> ISP's are
>> blocking and why.
seems to me this is the wrong question... a default security
"posture" (network or system, isp or enterprise or any type of
entity) should be: "if it's not explicitly allowed, it's denied."
don't look for specific ports to block. lock down everything, both
*egress* (arguably as important as ingress, and typically completely
ignored) and ingress, and start opening only specific ports that are
absolutely necessary. yes, it's a lot more work to do this but it's
a lot safer.
many worm/trojan infections happen because egress is completely open,
and "permit tcp any any established" is the first line in the ingress
acl.
-b
More information about the NANOG
mailing list