Shawn McMahon [smcmahon@eiv.com] wrote:
On Mon, Nov 20, 2000 at 04:12:19AM -0800, Mathew Butler wrote:
Ah, but here's the rub: Is there anything, from a business standpoint (read: contracts), that says that you have the right, much less the obligation, to make 'security' decisions for the customer? If not, you're opening your company up to massive lawsuits.
Let me get this straight; you think that instead of shooting you an email asking that the port be opened, your customer is going to call in the lawyers and file suit?
See, what Mathew wrote is pretty much my point in all of this. Now, I'm not going to call in the lawyers, but I'm one of those people that tries to track down all the places that I may have screwed up before I fire off an e-mail to my provider. I never want to say 'uh, I dunno, I didn't check that' (it will, of course, happen, but I really do my best to keep that to a minimum) when I've got a (ISP) technician on the phone. So, before I send that message asking for a port to be opened, I will likely have spent several hours tracking down the problem. That's several hours wasted.
WTF are your customers?
Lawyers, maybe? ;)
It's a -very- touchy subject -- but I, as a customer, want exclusive right to make filtering decisions over what goes from my network to the peering point, where the other backbone providers can choose their own policy. The reason for this is so that, if necessary, I can run any protocol I have a need to run over all circuits that I have that are connected to the same ISP.
Well, tough. We all filter various things, whether that be RFC 1918 addresses, NetBIOS, or Other. There's not a thing wrong with filtering by default, and removing if the customer asks, and since I did it for years without getting sued I reject your entire argument that the latter is what will occur.
Filtering RFC 1918 is to be expected. That traffic isn't supposed to be on the net as a whole (as per the RFC), so I expect that I won't be able to ping my 10.1.1.1 router from another network. However, I don't expect my provider to arbitrarily start filtering ports. I'm not arguing for or against SMB related filtering, I'm looking at filtering as a whole. I'm talking about the act of port filtering on the backbones.
Or are you thinking that the only clueful people in the network world exist at the NSPs?
No, I'm thinking 99% of them exist at the NSPs. My experience has so far borne this out.
Bah, there's a lot of money outside of the NSPs, surely more than one percent have drifted away by now... Mike -- Mike Johnson Network Engineer / iSun Networks, Inc. Morrisville, NC All opinions are mine, not those of my employer