Customer-facing ACLs
Justin Shore
justin at justinshore.com
Sat Mar 8 18:17:38 UTC 2008
Mark Foster wrote:
>
> Port 22 outbound? And 23? Telnet and SSH _outbound_ cause that much of
> a concern? I can only assume it's to stop clients exploited boxen being
> used to anonymise further telnet/ssh attempts - but have to admit this
> discussion is the first i've heard of it being done 'en masse'.
I don't think there's much to be gained from blocking ingress 22 from
customers. I don't see any SSH scans originating from my customers
(though there is always the potential). I wouldn't have any issues with
blocking outbound telnet though but I can't really justify it either
since I don't see a real big problem with that kind of traffic
originating on my network either.
Now inbound SSH and Telnet (destined for my customers) should be blocked
IMHO. Doing a little prodding around our netspace I've found most SSH
installs to be of a known vulnerable version or at least an old version
yet to have any vulnerabilities found in. Nothing positive could come
from letting them get compromised. We would of course offer a way for
users to get around the block. Our current approach is to have them
sign up for a static IP (another $5/month). The fee keeps everyone from
automatically signing up for is as "free stuff" but still gives the
legit users an inexpensive way to get what they need.
> It'd frustrate me if I jacked into a friends Internet in order to do
> some legitimate SSH based server administration, I imagine...
Agreed but remember that people like you, I and the rest of the readers
of NANOG are a teeny tiny minority on the Internet. I could pick a
couple thousand of my users at random and not find one that knows what
SSH is.
> Is this not 'reaching' or is there a genuine benefit in blocking these
> ports as well?
I don't think there's much to be gained from blocking telnet & SSH from
the customers to the Internet. Blocking SMTP in the same direction is
critical IMHO. Blocking the same 3 ports back to the customer makes
sense to me though. I think there is a real and tangible benefit to the
exercise.
Justin
More information about the NANOG
mailing list