Customer-facing ACLs

From: Justin Shore (no email)
Date: Fri Mar 07 2008 - 14:55:05 EST

  • Next message: Justin M. Streiner: "Re: Customer-facing ACLs"

    This question will probably get lost in the Friday afternoon lull but
    we'll give it a try anyway.

    What kind of customer-facing filtering do you do (ingress and egress)?
    This of course is dependent on the type of customer, so lets assume
    we're talking about an average residential customer.

    Do you block SYNs destined to your customers? Do you rate-limit SYNs
    destined for your customers? SYNs on privileged ports?

    Do you block any customer-facing egress traffic at all? What about
    ingress? SMTP, NetBIOS, MS-SQL, common proxy ports (3128, 6588)?

    What ICMP types do you allow or disallow?

    I'm assuming everyone uses uRPF at all their edges already so that
    eliminates the need for specific ACEs with ingress/egress network
    verification checks.

    Do you filter anything destined to your network infrastructure on your
    customer-facing edges? Does anyone filter traffic destined to the PE
    side of a PE-CE link from the outside world?

    For those of you with cable networks, what all do you block with the CM?
      We're considering blocking NetBIOS and DHCP server traffic (DHCP
    server packets are already blocked at the CMTS but this would keep that
    junk off our infrastructure).

    For SMTP we permit access to our SMTP servers on tcp/25 to all our
    broadband users. We also permit our customers with static IPs
    (residential and business) to send SMTP without restrictions. After
    those permits we explicitly block tcp/25. This has worked fairly well
    for us. It sure makes it easy to find infected PCs with spambots. We
    don't touch tcp/587.

    For ICMP we permit echo, replies, packet-too-big, and time-exceeded.
    Everything else gets dropped. Frags are explicitly dropped before any
    permits.

    We also block common proxy ports to and from the customers (the to
    includes ports not always used for proxies). This has been very
    effective in catching a number of bots that scanned for open Squid
    proxies or script kiddie junk that used WinGate with the default settings.

    Is there a BCP for customer-facing ACLs?

    Justin


  • Next message: Justin M. Streiner: "Re: Customer-facing ACLs"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD