RE: Operational impact of filtering SMB/NETBIOS traffic?
Ah, but here's the rub: Is there anything, from a business standpoint (read: contracts), that says that you have the right, much less the obligation, to make 'security' decisions for the customer? If not, you're opening your company up to massive lawsuits. It's a -very- touchy subject -- but I, as a customer, want exclusive right to make filtering decisions over what goes from my network to the peering point, where the other backbone providers can choose their own policy. The reason for this is so that, if necessary, I can run any protocol I have a need to run over all circuits that I have that are connected to the same ISP. If it is shown that my network is relaying spam traffic, or is otherwise abusing the precepts of "Maintain Control Over What Flows In To And Out Of Your Network", only -then- would I think that control should be exercised by the NSP, and only then to the extent necessary to stop the abuse. And a hefty fine should be imposed on my company in that circumstance. Or are you thinking that the only clueful people in the network world exist at the NSPs? -Mat Butler -----Original Message----- From: Shawn McMahon [mailto:smcmahon@eiv.com] Sent: Sunday, November 19, 2000 4:53 AM To: nanog@merit.edu Subject: Re: Operational impact of filtering SMB/NETBIOS traffic? On Sat, Nov 18, 2000 at 08:19:12PM -0800, Roeland Meyer wrote:
because we want shares. You are considering killing off a whole bunch of legitimate use because some are too brain-dead to not have unintentional shares on the internet?
There are other issues with Microsoft's networking protocols than just unintentional shares. It leaks potentially lethal information like a sieve. Letting it willy-nilly through your firewalls is an invitation to have compromised hosts on your network. It should be filtered by default, and only un-filtered by request; and that with the understanding that if it even looks like you might be owned, you get cut off until there's an explanation.
On Mon, Nov 20, 2000 at 04:12:19AM -0800, Mathew Butler wrote:
Ah, but here's the rub: Is there anything, from a business standpoint (read: contracts), that says that you have the right, much less the obligation, to make 'security' decisions for the customer? If not, you're opening your company up to massive lawsuits.
Let me get this straight; you think that instead of shooting you an email asking that the port be opened, your customer is going to call in the lawyers and file suit? WTF are your customers?
It's a -very- touchy subject -- but I, as a customer, want exclusive right to make filtering decisions over what goes from my network to the peering point, where the other backbone providers can choose their own policy. The reason for this is so that, if necessary, I can run any protocol I have a need to run over all circuits that I have that are connected to the same ISP.
Well, tough. We all filter various things, whether that be RFC 1918 addresses, NetBIOS, or Other. There's not a thing wrong with filtering by default, and removing if the customer asks, and since I did it for years without getting sued I reject your entire argument that the latter is what will occur.
Or are you thinking that the only clueful people in the network world exist at the NSPs?
No, I'm thinking 99% of them exist at the NSPs. My experience has so far borne this out. Then again, I've been no higher than Tier 3, so WTF do I know? :-)
Shawn McMahon [smcmahon@eiv.com] wrote:
On Mon, Nov 20, 2000 at 04:12:19AM -0800, Mathew Butler wrote:
Ah, but here's the rub: Is there anything, from a business standpoint (read: contracts), that says that you have the right, much less the obligation, to make 'security' decisions for the customer? If not, you're opening your company up to massive lawsuits.
Let me get this straight; you think that instead of shooting you an email asking that the port be opened, your customer is going to call in the lawyers and file suit?
See, what Mathew wrote is pretty much my point in all of this. Now, I'm not going to call in the lawyers, but I'm one of those people that tries to track down all the places that I may have screwed up before I fire off an e-mail to my provider. I never want to say 'uh, I dunno, I didn't check that' (it will, of course, happen, but I really do my best to keep that to a minimum) when I've got a (ISP) technician on the phone. So, before I send that message asking for a port to be opened, I will likely have spent several hours tracking down the problem. That's several hours wasted.
WTF are your customers?
Lawyers, maybe? ;)
It's a -very- touchy subject -- but I, as a customer, want exclusive right to make filtering decisions over what goes from my network to the peering point, where the other backbone providers can choose their own policy. The reason for this is so that, if necessary, I can run any protocol I have a need to run over all circuits that I have that are connected to the same ISP.
Well, tough. We all filter various things, whether that be RFC 1918 addresses, NetBIOS, or Other. There's not a thing wrong with filtering by default, and removing if the customer asks, and since I did it for years without getting sued I reject your entire argument that the latter is what will occur.
Filtering RFC 1918 is to be expected. That traffic isn't supposed to be on the net as a whole (as per the RFC), so I expect that I won't be able to ping my 10.1.1.1 router from another network. However, I don't expect my provider to arbitrarily start filtering ports. I'm not arguing for or against SMB related filtering, I'm looking at filtering as a whole. I'm talking about the act of port filtering on the backbones.
Or are you thinking that the only clueful people in the network world exist at the NSPs?
No, I'm thinking 99% of them exist at the NSPs. My experience has so far borne this out.
Bah, there's a lot of money outside of the NSPs, surely more than one percent have drifted away by now... Mike -- Mike Johnson Network Engineer / iSun Networks, Inc. Morrisville, NC All opinions are mine, not those of my employer
participants (3)
-
Mathew Butler
-
Mike Johnson
-
Shawn McMahon