Ben Browning wrote:
The point is this: 137-139 are used for NetBIOS and Samba, neither of which are secure (or even supported by their vendors, AFAIK) for use out on the Internet. I think we can all agree that anyone using them in that situation, shouldn't be.
The problem is that 137-139 are just numbers. The fact that a typically insecure application runs over port 137/139 as opposed to say, 25609, makes no difference. If the logic follows, then block port 21, 111 and maybe even port 80. I'm sure we can find over zealous security experts making claims that those services are inherently insecure as well. Someone will come up with a way of doing file sharing over another port number, over another protocol, over a conforming application (e.g. HTTP) and probably using encryption so you can't tell what it is. I think the end-to-end principle should guide us when people approach these problems with generalized network solutions ...with extreme trepidation. I have no problem with organizations that control their own AS and want to block certain, vulnerable ports. I can even see ISPs being somewhat service oriented towards their customer who may be completely security unaware, but to foster this type of activity as a real solution I think is a mistake. It doesn't really make the Internet any more secure. It simply moves the security problem around. If people continue to follow this approach, then soon we end up doing content inspection looking for tunneled protocols, encrypted and who knows what kinds of trickery all over TCP port 80. Yuck. That'll be "The Day the Internet Died". The closer we can get security to the end hosts the better. John