Customer-facing ACLs

• Previous message (by thread): Customer-facing ACLs
• Next message (by thread): Customer-facing ACLs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mark Foster wrote:
> 
> Port 22 outbound? And 23?  Telnet and SSH _outbound_ cause that much of 
> a concern? I can only assume it's to stop clients exploited boxen being 
> used to anonymise further telnet/ssh attempts - but have to admit this 
> discussion is the first i've heard of it being done 'en masse'.

I don't think there's much to be gained from blocking ingress 22 from 
customers.  I don't see any SSH scans originating from my customers 
(though there is always the potential).  I wouldn't have any issues with 
blocking outbound telnet though but I can't really justify it either 
since I don't see a real big problem with that kind of traffic 
originating on my network either.

Now inbound SSH and Telnet (destined for my customers) should be blocked 
IMHO.  Doing a little prodding around our netspace I've found most SSH 
installs to be of a known vulnerable version or at least an old version 
yet to have any vulnerabilities found in.  Nothing positive could come 
from letting them get compromised.  We would of course offer a way for 
users to get around the block.  Our current approach is to have them 
sign up for a static IP (another $5/month).  The fee keeps everyone from 
automatically signing up for is as "free stuff" but still gives the 
legit users an inexpensive way to get what they need.

> It'd frustrate me if I jacked into a friends Internet in order to do 
> some legitimate SSH based server administration, I imagine...

Agreed but remember that people like you, I and the rest of the readers 
of NANOG are a teeny tiny minority on the Internet.  I could pick a 
couple thousand of my users at random and not find one that knows what 
SSH is.

> Is this not 'reaching' or is there a genuine benefit in blocking these 
> ports as well?

I don't think there's much to be gained from blocking telnet & SSH from 
the customers to the Internet.  Blocking SMTP in the same direction is 
critical IMHO.  Blocking the same 3 ports back to the customer makes 
sense to me though.  I think there is a real and tangible benefit to the 
exercise.

Justin

• Previous message (by thread): Customer-facing ACLs
• Next message (by thread): Customer-facing ACLs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]