Customer-facing ACLs

• Previous message (by thread): Customer-facing ACLs
• Next message (by thread): Tools to measure TCP connection speed
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sorry, I should have been more clear.  I added them a few months after I
came on board.  The ports that are blocked are either Window's SMB/RPC ports
or the ones that (a long time ago) were used by worms.  Correct, no research
into traffic or contact with customers.  Although some may argue that
sharing one's files with their neighbor using Window's File and Print
sharing is a valid service, it's generally accepted that that residential
subscribers have no legitimate need to be communicating with those ports on
the internet and they are 100 times to 1 more likely to carry malicious
traffic than not.  And as our history has shown, there's been close to zero
issues.  Yes, perhaps customers just didn't bother to call in to complain or
that call wasn't escalated to me, but I think I could communicate a pretty
convincing argument if required.

Frank

-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Scott Weeks
Sent: Wednesday, March 12, 2008 6:39 PM
To: nanog at merit.edu
Subject: RE: Customer-facing ACLs



--- frnkblk at iname.com wrote: --------------------

We have a two-dozen line long ACL applied to our CMTS and BRAS blocking
Windows and "virus" ports and have never had a complaint or a problem.  We
do have a more sophisticated residential or large-biz customers ask, but
----------------------------------------

I'd like to ask the same question of you that I just did to Chris.  How'd
you implement that or has it been there since the network was new?


------ frnkblk at iname.com wrote:  ------------
From: "Frank Bulk - iNAME" <frnkblk at iname.com>

Those ACLs were added when I came on board.  Again, only one complaint in 3+
years.
--------------------------------------------

Do you mean they were already there when you arrived, or do you mean you
just put in ACLs after arriving?  No research into traffic?  No contact to
customers?  No elaborating to the less technical folks in the company about
what was going to happen?  etc...

We have over 100k DSL folks and most're DHCP.  I'd be afraid to do that
without research into the traffic via "permit TCP NNN log" type ACLs and
other methods.

I believe I will take Sean D's sugestion and read MAAWG's docs.  Makes me
wonder, though, if we took over the Hawaii part of VZ's network and it was
completely open, does that mean the rest of their network is similarly open?

scott

• Previous message (by thread): Customer-facing ACLs
• Next message (by thread): Tools to measure TCP connection speed
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]