Re: ISPs' willingness to take action
Brian Bruns asserts that there are lots of home users connecting to their office Exchange servers without VPNs, and that therefore blocking the Microsoft ports was bad. While I agree with his point that you shouldn't do it without documenting what you are or are not blocking, I'm really surprised to hear the assertion that people are leaving unfirewalled Exchange servers out on the net. Is this actually common? /shudders...
* billstewart@att.com (Stewart, William C (Bill), RTSLS) [Mon 27 Oct 2003, 07:27 CET]:
I'm really surprised to hear the assertion that people are leaving unfirewalled Exchange servers out on the net. Is this actually common? /shudders...
I, for one, strongly support your proposal of blocking connections towards port 25 on Exchange servers Internet-wide. Kind regards, -- Niels.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Stewart, William C (Bill), RTSLS Sent: Monday, October 27, 2003 1:27 AM To: nanog@merit.edu Subject: Re: ISPs' willingness to take action
Brian Bruns asserts that there are lots of home users connecting to
It's true. I don't know if it's prevalent, but you'd be amazed at how many small shops are putting exchange on the public internet using the spooky windows ports to attach to it. IMHO the best solution to most of these problems is education. We implemented an IDS system. The ROI comes from the inbound attacks being detected/prevented/shunned. But it's also listening to the outbound stuff, so when we see that a customer has the flavor of the week, we cut him off, give him a call and some friendly advice, and everyone's happy. When we see IRC joins and port scans from a customer server, we give him a call, advise him that he's been rooted, and offer to assist in his recovery (can you say business opportunity, folks?). Blocking ports is fine as long as you let people know what you're blocking and why, offer alternative solutions and offer to unblock if it's an absolute requirement. Often, once properly educated about the risks, a lesser experienced admin will be excited about the opportunity to do it the more secure way, and will begin preparations, so I've found the "unblock" is usually temporary. I believe the answer is for all providers to do this -- monitor outbound traffic with IDS, consider it a business opportunity to offer managed services to your customers. Resell virus software, firewall units, and most importantly, education. Your customers will appreciate it, believe me. -Bob their office Exchange servers without VPNs, and that therefore blocking the Microsoft
ports was bad. While I agree with his point that you shouldn't do it without documenting what you are or are not blocking, I'm really surprised to hear the assertion that people are leaving unfirewalled Exchange servers out on the net. Is this actually common? /shudders...
This is definitely a business opportunity for any ISPs that wish to take advantage of it... Hire clueful abuse desk people, set up a good IDS, run spamassassin on your mail servers, and offer free antivirus software to the broadband connected bare win32 PCs. I am sure midsize ISP marketing departments will be able to brand this with a slick name and print brochure or TV commercial. "Tired of spam and junk on the internet? Sick of Pop-ups? Worried about the spread of worms and viruses? We're better than the competition, and here's why...!"
We implemented an IDS system. The ROI comes from the inbound attacks being detected/prevented/shunned. But it's also listening to the outbound stuff, so when we see that a customer has the flavor of the week, we cut him off, give him a call and some friendly advice, and everyone's happy. When we see IRC joins and port scans from a customer server, we give him a call, advise him that he's been rooted, and offer to assist in his recovery (can you say business opportunity, folks?).
Blocking ports is fine as long as you let people know what you're blocking and why, offer alternative solutions and offer to unblock if it's an absolute requirement. Often, once properly educated about the risks, a lesser experienced admin will be excited about the opportunity to do it the more secure way, and will begin preparations, so I've found the "unblock" is usually temporary.
----- Original Message ----- From: "Eric Kuhnke" <eric@fnordsystems.com> To: <nanog@merit.edu> Sent: Monday, October 27, 2003 8:40 AM Subject: RE: ISPs' willingness to take action > > This is definitely a business opportunity for any ISPs that wish to take > advantage of it... Hire clueful abuse desk people, set up a good IDS, run > spamassassin on your mail servers, and offer free antivirus software to the > broadband connected bare win32 PCs. I am sure midsize ISP marketing > departments will be able to brand this with a slick name and print brochure > or TV commercial. * But customers of broadband ISP aren't going to want to pay more than $40 a month for any such thing you add, and just how clueful do you want help desk people (I don't think you meant abuse desk ... there probably isn't even one) ? $20 an hour? $26 an hour? That isn't gonna happen. And the PRINT and Commercials cost money as well. Which is fine for signing up new customers ... and there is always that customer churn. You can say you raised the bill because you added IDS, and Spamware, and Virusware, and because they get free AV and Firewall software ... and the majority of customers are going to have a fit. They think the whole thing is the responsibility of the ISP at the current rate (or even cheaper!). "You let that virus come into my computer" ... "It came over YOUR network!!!!". > > "Tired of spam and junk on the internet? Sick of Pop-ups? Worried about > the spread of worms and viruses? We're better than the competition, and > here's why...!" * Because we're more expensive ;-) > > >We implemented an IDS system. The ROI comes from the inbound attacks > >being detected/prevented/shunned. But it's also listening to the > >outbound stuff, so when we see that a customer has the flavor of the > >week, we cut him off, give him a call and some friendly advice, and > >everyone's happy. When we see IRC joins and port scans from a customer > >server, we give him a call, advise him that he's been rooted, and offer > >to assist in his recovery (can you say business opportunity, folks?). > > > >Blocking ports is fine as long as you let people know what you're > >blocking and why, offer alternative solutions and offer to unblock if > >it's an absolute requirement. Often, once properly educated about the > >risks, a lesser experienced admin will be excited about the opportunity > >to do it the more secure way, and will begin preparations, so I've found > >the "unblock" is usually temporary. > * I love that wishful thinking. But I kept seeing the same experienced admins (or so they said) with the same spam complaints, pointing at their IP Address (even after it was changed). And home users who said they got rid of the virus but it was still there pumping away just like before you called them. We had some users that were happy we had cut them off, and told them that they had a problem (virus or otherwise). --- Alan Spicer (a_spicerNOSPAM@bellsouth.net) http://aspicer.homelinux.net/ http://telecom.dyndns.biz/ Systems and Network Administration, and Telecommunications
On Mon, 27 Oct 2003 04:54:30 -0500, "Bob German" <bobgerman@irides.com> wrote:
We implemented an IDS system.
Would you mind sharing some details on this, Bob? I've been thinking about implementing IDS, but don't know the field well. /kenw Ken Wallewein CDP,CNE,MCSE,CCA,CCNA K&M Systems Integration Phone (403)274-7848 Fax (403)275-4535 kenw@kmsi.net www.kmsi.net
Stewart, William C (Bill), RTSLS wrote:
I'm really surprised to hear the assertion that people are leaving unfirewalled Exchange servers out on the net. Is this actually common? /shudders...
If that causes you to shudder I won't tell you the extend of the Exchange Servers I have found on the internet to date. The problem is more that there is no 'easy' VPN solution, and without it you have the situation of companies making Exchange accessable in a semi-unfirewalled state (semi in that some ports are firewalled however the Microsoft ports are not). / Mat PS: Some of the worst are in the SORBS database because they couldn't even work out how to secure them against simple relay.
MS> Date: Mon, 27 Oct 2003 20:06:25 +1000 MS> From: Matthew Sullivan MS> PS: Some of the worst are in the SORBS database because they MS> couldn't even work out how to secure them against simple MS> relay. "What's an open relay?" Exact quote from a local MCSE-happy "consultancy". I expect there are other such screwballs installing trouble elsewhere. OT: Does MCSE+I address real operational issues? Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses : blacklist@brics.com -or- alfra@intc.net -or- curbjmp@intc.net Sending mail to spambait addresses is a great way to get blocked.
On Mon, 27 Oct 2003, E.B. Dreger wrote:
"What's an open relay?"
thats not really covered in the exchange test... and +I doesn't require exchange test, nor does MCSE...
Exact quote from a local MCSE-happy "consultancy". I expect there are other such screwballs installing trouble elsewhere.
OT: Does MCSE+I address real operational issues?
only if your operation requires MCSE and I I suppose... Who would do that nutty thing? Oh... most of the "I" :( bummer.
I'm really surprised to hear the assertion that people are leaving unfirewalled Exchange servers out on the net. Is this actually common? /shudders...
I don't think that the small shops know any better. It's a matter of education, and in most of the cases I've seen the education has been painful. VPN technologies are either too weak, like PPTP, too expensive or difficult to grasp like IPsec, or too new like the HTTPS tunnels. I don't recall the source, but it was recently reported that 40% of the exchange server base is still on the v5.5 platform. Using that as a general indication, many of these shops probably won't plan to upgrade anytime soon. -John
On Mon, 27 Oct 2003 08:28:22 -0500, "John Ferriby" <john@ferriby.com> wrote:
VPN technologies are either too weak, like PPTP, too expensive or difficult to grasp like IPsec, or too new like the HTTPS tunnels.
Dunno about HTTPS; I prefer to avoid opening _any_ inbound ports through my firewalls, since my clients are typically too small to afford good stateful inspection, and I dislike server-based firewalls. VPNs, however, are not the problem they used to be. I use Netopia R910s and 3381-ENTs, which are cheap and provide both PPTP and IPsec endpoints, with or without encryption. They're reasonably easy to configure (good documentation and good support), and work just fine with Microsoft's built-in Windows VPN clients. Yes, I know PPTP isn't as strong as IPsec. But it's certainly more than strong enough to keep out the riff-raff, and that's all we need here. This allows me to provide secure, low-cost remote network access to and between clients' LANs without any DMZs or pinholed routers. And I tell any client who really wants to provide services to the Internet at large, that they're far better off to contract the service with an ISP, who will almost certainly do the job both better and cheaper. Hey, I make good money doing this; so can you! I don't see any good justification for people to treat the Internet like their own back yard. But is bandwidth really so cheap that ISPs don't have any stake in conserving it? /kenw Ken Wallewein CDP,CNE,MCSE,CCA,CCNA K&M Systems Integration Phone (403)274-7848 Fax (403)275-4535 kenw@kmsi.net www.kmsi.net
John Ferriby wrote:
I'm really surprised to hear the assertion that people are leaving unfirewalled Exchange servers out on the net. Is this actually common? /shudders...
I don't think that the small shops know any better. It's a matter of education, and in most of the cases I've seen the education has been painful.
In most cases it isn't the even the "shops", it is the "suits" who cut the check, -insisting-. "In XYZ megacorporation we ran Xchange... harrumph" So, if you know how to use a Hammer, every problem is just another nail. Including the nail with the "neat spirals" down the side.....
VPN technologies are either too weak, like PPTP, too expensive or difficult to grasp like IPsec, or too new like the HTTPS tunnels.
Breaking out an old saying, and reapplying: Something Old [IPChains], Something New [HTTPS], Something Borrowed [AIX/Linux], Something Blue [RS-6000]. YMMV, adjust to "suit" conditions, or is that "suit conditions" ? :P "You can't Hack that to which you cannot Connect."
I don't recall the source, but it was recently reported that 40% of the exchange server base is still on the v5.5 platform. Using that as a general indication, many of these shops probably won't plan to upgrade anytime soon.
A study of suits in the industry shows better than 77% will suggest Xchange when asked for a safe reliable email application server. Another study will show almost -none- (< 5%) of them will have actual "hands on" experience -administrating- said server.... or -any- experience other than that of an end user. Interestingly the majority of suits will try to drive the "neat nail with the spirals" into the wood, with the hammer, for some reason. Strangely, about 43% will -claim- success at the attempt, irrespective, fudging the paperwork for appearances. Go figure! :\
-John
FYI: Statistics show that the same personality characteristics that make for an excellent liar, also makes for a good leader. So much so, it can be said, "Most Good Leaders are Excellent Liars". (FWIW, Statistics -also- show that almost 70% of them had to -cheat- to get their college degree...) Well, that certainly go -miles- in explaining politics, eh ?, Pardon, I digress... :) And finally, a study demonstrated, "The more knowledgeable of the field (computers) you are, the more likely you are to be humble when proffering your opinion." Conversely, it was also been demonstrated, The -=less=- knowledgeable you are in the industry, the more likely you are to accept your own opinion as the "end all", or "authoritative" on the subject. :* .TIA. PPS: Sadly, Only -some- of the above statistics are made up. :O :* :P
On Mon, 27 Oct 2003, Stewart, William C (Bill), RTSLS wrote:
Brian Bruns asserts that there are lots of home users connecting to their office Exchange servers without VPNs, and that therefore blocking the Microsoft ports was bad. While I agree with his point that you shouldn't do it without documenting what you are or are not blocking, I'm really surprised to hear the assertion that people are leaving unfirewalled Exchange servers out on the net. Is this actually common? /shudders...
apparently so... reference long discussions on nanog regarding blocking welchia/nachi... People even, SHOCKER, use smb shares over the internet without vpns or firewalls :(
I can verify this as well. We block all windows ports, in and out, and have a few clients that we've had to put exclusions in the filters for. Get this, they're in the US, their Exchange server is in the UK, and instead of doing a VPN between their office (of 20 employees) and the remote office, they all use the UK's WINS Server and attach to the Exchange server through a NAT router. The only reason so far that I've been able to gleam why they don't do a VPN was that the IT consultant for the parent company suggested it and this local supervisor doesn't like him so won't do anything he suggests, even if it's good advice. We have another client who hosts an exchange server for a few remote users and I finally got them to at least use PPTP when Road Runner blocked 135-139 ports (and their remote users are all @ home on RR). william ----- Original Message ----- From: "Christopher L. Morrow" <chris@UU.NET> To: "Stewart, William C (Bill), RTSLS" <billstewart@att.com> Cc: <nanog@merit.edu> Sent: Monday, October 27, 2003 9:08 AM Subject: Re: ISPs' willingness to take action
On Mon, 27 Oct 2003, Stewart, William C (Bill), RTSLS wrote:
Brian Bruns asserts that there are lots of home users connecting to their office Exchange servers without VPNs, and that therefore blocking the Microsoft ports was bad. While I agree with his point that you shouldn't do it without documenting what you are or are not blocking, I'm really surprised to hear the assertion that people are leaving unfirewalled Exchange servers out on the net. Is this actually common? /shudders...
apparently so... reference long discussions on nanog regarding blocking welchia/nachi... People even, SHOCKER, use smb shares over the internet without vpns or firewalls :(
Believe it or not, there are. When I ran a large network at an unnamed ISP, we ran graphing on certain types of traffic, and an awful lot of our business customers were doing this - with their home users accessing their corp exchange servers with no VPN. The only thing I could guess is that they weren't willing to hire someone to do things right. There were certain situations why I had to do this personally. At the time, when I took over, there was no Exchange admin, and I was rather clueless on how to manage Exchange, so for quite a while I stumbled through trying to get things working correctly and properly securing it (and several times severely broke it). It was several months before I felt comfortable adjusting the main setup of the server so that it would work fine on my VPN hookup from the office network to the house. Its alot different now that I am familiar with Exchange. I was trying to get rid of exchange, but with the fact our corp office was a bunch of idiots who had no idea how to use anything else but outlook, made it nearly impossible to switch to a pure pop3/smtp setup with an online calendar and shared address book. -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511 ----- Original Message ----- From: "Stewart, William C (Bill), RTSLS" <billstewart@att.com> To: <nanog@merit.edu> Sent: Monday, October 27, 2003 1:27 AM Subject: Re: ISPs' willingness to take action Brian Bruns asserts that there are lots of home users connecting to their office Exchange servers without VPNs, and that therefore blocking the Microsoft ports was bad. While I agree with his point that you shouldn't do it without documenting what you are or are not blocking, I'm really surprised to hear the assertion that people are leaving unfirewalled Exchange servers out on the net. Is this actually common? /shudders...
participants (13)
-
Alan Spicer -
Bob German -
Brian Bruns -
Christopher L. Morrow -
E.B. Dreger -
Eric Kuhnke -
John Ferriby -
kenw@kmsi.net -
Matthew Sullivan -
Niels Bakker -
Richard Irving -
Stewart, William C (Bill), RTSLS -
William Devine, II