North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Operational impact of filtering SMB/NETBIOS traffic?
- From: Mike Johnson
- Date: Mon Nov 20 09:55:48 2000
Shawn McMahon [firstname.lastname@example.org] wrote:
> On Mon, Nov 20, 2000 at 04:12:19AM -0800, Mathew Butler wrote:
> > Ah, but here's the rub: Is there anything, from a business standpoint (read:
> > contracts), that says that you have the right, much less the obligation, to
> > make 'security' decisions for the customer? If not, you're opening your
> > company up to massive lawsuits.
> Let me get this straight; you think that instead of shooting you an
> email asking that the port be opened, your customer is going to call in
> the lawyers and file suit?
See, what Mathew wrote is pretty much my point in all of this. Now, I'm
not going to call in the lawyers, but I'm one of those people that tries
to track down all the places that I may have screwed up before I fire off
an e-mail to my provider. I never want to say 'uh, I dunno, I didn't
check that' (it will, of course, happen, but I really do my best to keep that
to a minimum) when I've got a (ISP) technician on the phone. So, before
I send that message asking for a port to be opened, I will likely have
spent several hours tracking down the problem. That's several hours
> WTF are your customers?
Lawyers, maybe? ;)
> > It's a -very- touchy subject -- but I, as a customer, want exclusive right
> > to make filtering decisions over what goes from my network to the peering
> > point, where the other backbone providers can choose their own policy. The
> > reason for this is so that, if necessary, I can run any protocol I have a
> > need to run over all circuits that I have that are connected to the same
> > ISP.
> Well, tough. We all filter various things, whether that be RFC 1918
> addresses, NetBIOS, or Other. There's not a thing wrong with filtering
> by default, and removing if the customer asks, and since I did it for
> years without getting sued I reject your entire argument that the latter
> is what will occur.
Filtering RFC 1918 is to be expected. That traffic isn't supposed to
be on the net as a whole (as per the RFC), so I expect that I won't be
able to ping my 10.1.1.1 router from another network. However, I don't
expect my provider to arbitrarily start filtering ports. I'm not
arguing for or against SMB related filtering, I'm looking at filtering
as a whole. I'm talking about the act of port filtering on the
> > Or are you thinking that the only clueful people in the network world exist
> > at the NSPs?
> No, I'm thinking 99% of them exist at the NSPs. My experience has so
> far borne this out.
Bah, there's a lot of money outside of the NSPs, surely more than one
percent have drifted away by now...
Network Engineer / iSun Networks, Inc.
All opinions are mine, not those of my employer