Sean, At Home's policy was that servers were administratively forbidden. It ran proactive port scans to detect them (which of course were subject to firewall ACLs) and actioned them under a complex and changing rule set. It frequently left enforcement to the local partner depending on contractual arrangements. It did not block ports. Non-transparent proxing was used for http - you could opt out if you knew how. While many DSL providers have taken up filtering port 25, the cable industry practice is mostly to leave ports alone. I know of one large cable company that did the right thing and implemented SMTP authentication for their mail service. The world would be a different place if client to server mail submission was done in an authenticated manner consistently across the Internet. Its amazing how many ISPs don't implement this best practice. Regards, Eric Carroll -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Sean Donelan Sent: October 25, 2002 5:36 PM To: Paul Vixie Cc: nanog@merit.edu Subject: Re: How to secure the Internet in three easy steps On Fri, 25 Oct 2002, Paul Vixie wrote:
Not only that, but unless _everyone_ implements 2 and/or 3, all the bad people that exploit the things these are meant to protect will migrate to the networks that lack these measures, mitigating the benefits.
not just the bad people. all the people. a network with 2 or 3 in place is useless. there is no way to make 2 or 3 happen.
AOL? I believe they proxy almost all their subscribers through several large datacenters, and don't allow users to run their own servers. @Home prohibited customer servers on their network, blocked several ports, and proxied several services. Its common for ISPs outside of the US to force their customers to use the ISP's web proxy server, even hijacking connections which attempt to bypass it. As part of their anti-spam efforts, several providers block SMTP port 25, and force their subscribers to only use that provider's SMTP relay/proxy to send mail. Why not extend those same restrictions to other (all) protocols? Many corporate networks already proxy all their user's traffic, and prohibit direct connections through the corporate firewalls. I think its a bad idea, but techincally I have a hard time saying its technically impossible.