Re: Operational impact of filtering SMB/NETBIOS traffic?
Being on the customer side of things, I filter 137-139 at my borders. If people need to get in from outside, that's what VPN's are for. I can think of no person who should legitimately be sending SMB traffic over the capital I Internet. On the subject of backbone providers, backbone providers IMHO should never filter transit, period, end of discussion. They can filter on customer borders if the customer requests it, and they can (and should) filter their dialup modem pools (hello, UUNet, PSI, etc.) The only conceivable case in which a backbone should filter transit is if the traffic in question is clearly an attack, and filtering is requested by a customer or peer, or if the amount of attack traffic is noticeably affecting performance. We need to stop foisting security onto the backbones, and start being responsible for it ourselves. If someone is foolish enough to allow SMB traffic over the Internet, then they deserve what's coming to them. As it has for eternity, it all boils down to educating the customer. Maybe it's time to start doing it with a clue-by-four. At 22:06 11/14/2000 +0000, Paul Thornton wrote:
On Tue, 14 Nov 2000, Scott Call wrote:
Because this traffic is IP traffic, I wanted to ask others on this list how they treat SMB traffic on their backbones?
One of the things I considered doing was filtering 137-139 in our data centres to reduce risk to customers' poorly (usually through knowing no better, so no offence intended here) configured NT boxes. It does seem, however, that people do want truly unrestricted NetBIOS over IP connectivity into their boxes "So we can browse the server from the office" being a familiar cry. As a result of this, we didn't go ahead with the intended filtering.
Experience has taught me that people (a) do this, and do it a lot (certainly in Europe, YMMV elsewhere); and (b) a good number of them are happy to have a server with little external filtering/firewalling/protection doing it. I find this particularly scary...
-- Paul
Not speaking for my employer, in case you know who they are...
-- William S. Duncanson caesar@starkreality.com The driving force behind the NC is the belief that the companies who brought us things like Unix, relational databases, and Windows can make an appliance that is inexpensive and easy to use if they choose to do that. -- Scott Adams
participants (1)
-
William S. Duncanson