-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Stewart, William C (Bill), RTSLS Sent: Monday, October 27, 2003 1:27 AM To: nanog@merit.edu Subject: Re: ISPs' willingness to take action
Brian Bruns asserts that there are lots of home users connecting to
It's true. I don't know if it's prevalent, but you'd be amazed at how many small shops are putting exchange on the public internet using the spooky windows ports to attach to it. IMHO the best solution to most of these problems is education. We implemented an IDS system. The ROI comes from the inbound attacks being detected/prevented/shunned. But it's also listening to the outbound stuff, so when we see that a customer has the flavor of the week, we cut him off, give him a call and some friendly advice, and everyone's happy. When we see IRC joins and port scans from a customer server, we give him a call, advise him that he's been rooted, and offer to assist in his recovery (can you say business opportunity, folks?). Blocking ports is fine as long as you let people know what you're blocking and why, offer alternative solutions and offer to unblock if it's an absolute requirement. Often, once properly educated about the risks, a lesser experienced admin will be excited about the opportunity to do it the more secure way, and will begin preparations, so I've found the "unblock" is usually temporary. I believe the answer is for all providers to do this -- monitor outbound traffic with IDS, consider it a business opportunity to offer managed services to your customers. Resell virus software, firewall units, and most importantly, education. Your customers will appreciate it, believe me. -Bob their office Exchange servers without VPNs, and that therefore blocking the Microsoft
ports was bad. While I agree with his point that you shouldn't do it without documenting what you are or are not blocking, I'm really surprised to hear the assertion that people are leaving unfirewalled Exchange servers out on the net. Is this actually common? /shudders...