Customer-facing ACLs

• Previous message (by thread): bandwidth providers and pricing in China
• Next message (by thread): Customer-facing ACLs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This question will probably get lost in the Friday afternoon lull but 
we'll give it a try anyway.

What kind of customer-facing filtering do you do (ingress and egress)? 
This of course is dependent on the type of customer, so lets assume 
we're talking about an average residential customer.

Do you block SYNs destined to your customers?  Do you rate-limit SYNs 
destined for your customers?  SYNs on privileged ports?

Do you block any customer-facing egress traffic at all?  What about 
ingress?  SMTP, NetBIOS, MS-SQL, common proxy ports (3128, 6588)?

What ICMP types do you allow or disallow?

I'm assuming everyone uses uRPF at all their edges already so that 
eliminates the need for specific ACEs with ingress/egress network 
verification checks.

Do you filter anything destined to your network infrastructure on your 
customer-facing edges?  Does anyone filter traffic destined to the PE 
side of a PE-CE link from the outside world?

For those of you with cable networks, what all do you block with the CM? 
  We're considering blocking NetBIOS and DHCP server traffic (DHCP 
server packets are already blocked at the CMTS but this would keep that 
junk off our infrastructure).

For SMTP we permit access to our SMTP servers on tcp/25 to all our 
broadband users.  We also permit our customers with static IPs 
(residential and business) to send SMTP without restrictions.  After 
those permits we explicitly block tcp/25.  This has worked fairly well 
for us.  It sure makes it easy to find infected PCs with spambots.  We 
don't touch tcp/587.

For ICMP we permit echo, replies, packet-too-big, and time-exceeded. 
Everything else gets dropped.  Frags are explicitly dropped before any 
permits.

We also block common proxy ports to and from the customers (the to 
includes ports not always used for proxies).  This has been very 
effective in catching a number of bots that scanned for open Squid 
proxies or script kiddie junk that used WinGate with the default settings.


Is there a BCP for customer-facing ACLs?

Justin

• Previous message (by thread): bandwidth providers and pricing in China
• Next message (by thread): Customer-facing ACLs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]