From: Vinny Abello (no email)
Date: Wed Sep 03 2003 - 15:05:14 EDT
At 02:51 PM 9/3/2003, Sean Donelan wrote:
>On Wed, 3 Sep 2003, Johannes Ullrich wrote:
> > I just summarized my thoughts on this topic here:
> > http://www.sans.org/rr/special/isp_blocking.php
> >
> > Overall: I think there are some ports (135, 137, 139, 445),
> > a consumer ISP should block as close to the customer as
> > they can.
>
>If ISPs had blocked port 119, Sobig could not have been distributed
>via USENET.
>
>
>Perhaps unbelievably to people on this mailing list, many people
>legitimately use 135, 137, 139 and 445 over the open Internet
>everyday. Which protocols do you think are used more on today's
>Internet? SSH or NETBIOS?
>
>Some businesses have create an entire industry of outsourcing Exchange
>service which need all their customers to be able to use those ports.
>
>http://www.mailstreet.net/MS/urgent.asp
>
>http://dmoz.org/Computers/Software/Groupware/Microsoft_Exchange/
>
>If done properly, those ports are no more or less "dangerous" than
>any other 16-bit port number used for TCP or UDP protocol headers.
>
>
>But we need to be careful not to make the mistake that just because
>we don't use those ports that the protocols aren't useful to other
>people.
Even on Windows they can be used in a much safer fashion (although I would
never attempt it for any of my stuff). It is possible to use IPSec policies
on 2000 and higher to encrypt all traffic on specified ports to specified
hosts/networks and block all other traffic. I bet some people are using
this to join remote locations securely to each other for Windows networking
with these ports and IPSec policies.
Vinny Abello
Network Engineer
Server Management
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN
There are 10 kinds of people in the world. Those who understand binary and
those that don't.
|
|
|