Re: Customer-facing ACLs

• Previous message: Justin Shore: "Customer-facing ACLs"
• In reply to: Justin Shore: "Customer-facing ACLs"
• Next in thread: (no name): "Re: Customer-facing ACLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Fri, 7 Mar 2008, Justin Shore wrote:

> Do you block any customer-facing egress traffic at all? What about ingress?
> SMTP, NetBIOS, MS-SQL, common proxy ports (3128, 6588)?
>
> What ICMP types do you allow or disallow?

In my previous life, I worked at a mid-sized ISP. A common practice for
bridged DSL customers was to block outbound traffic to the various Netbios
ports, along with a few other ports that were added at the time to keep
Slammer and friends under control. We also deployed filters through
RADIUS that covered much of the same ground for dialup and PPPoE DSL users
and it worked reasonably well.

I do recall weighing the merits of extending that to drop outbound SMTP to
exerything except our mail farm, but it wasn't deployed because there was
a geat deal a fear of customer backlash and that it would drive more calls
into the call center.

jms

• Previous message: Justin Shore: "Customer-facing ACLs"
• In reply to: Justin Shore: "Customer-facing ACLs"
• Next in thread: (no name): "Re: Customer-facing ACLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]