Brian.. I would agree with you that sometimes, you can't offer "filtered pipe" services to everyone and expect the same general acceptance of the product across the board. However, how much liability should a business take-on when abuse@ accounts are filling up daily because hundreds of customers not keeping up with Windows Update? We put in filters our WAN a few months back when everyone was feeling the wraths of the various Windows exploit of the week. Still today, we make no exceptions to this rule. We've even lost a few customers in the process, I'm sure. My issue is that in most cases (minus a few exceptions, of course) service providers are bombarded with complaints from customers that a) don't know how to change the default Exchange ports away from 135/139 or the security risk in broadcasting 135/139 to the world, b) didn't think they should have to worry about it (even as they were broadcasting from infected servers and machines on their network), or c) have a textbook MCSE, crash-course CCNA network administrator/consultant didn't really have an understanding of what was going on or how they should respond to it. Personally, I'm beginning to feel doubt that the technology industry will be able to maintain the level of competence and respect that we all need and deserve to have. I can't imagine what the health care industry would be like if ignorance was embraced as well as it seems to be in the technology industry. -Adam
Problem is, some applications, like Outlook for example (if I remember correctly), like to >use the 135, 137, 139 and others to connect to the Exchange server. You block them, and it will start to croak. You have a lot of home users not using a VPN to connect to their office exchange servers. I used to do this myself at times.
When you sell a service to someone, and neglect to mention you block certain incoming ports, especially to a possible business user or home user trying to access their office, >you put yourself in a really bad position.
By the way, can anybody explain to me a legitimate use for port 135/137 traffic across the Internet, like it's somebody's private LAN? Seems to me anybody who still thinks that's legitimate is living in the past.
So, the big question: why don't ISPs do more of this? Are they afraid of client reaction? Doesn't wash, for me: most clients would be highly grateful, and all it really takes for the remainder is fair warning. Cost? Again, you can judge for yourselves how low the fruit you choose to pick; the biggest gains have the best ROI.
Happy clients, liberated bandwidth, faster servers -- what's to loose?