Re: Telco's write best practices for packet switching networks
"rp" == Rob Pickering <rob@pickering.org> writes:
rp> --On 06 March 2002 15:04 +0000 "Christopher L. Morrow" <chris@UU.NET> rp> wrote:
Eric's point was you deploy your fancy-dan mail server with ONLY 22 and 25 listening,
rp> Um, that would be "ONLY port 25 listening" on it's public network rp> facing interface wouldn't it. rp> Why would you want to expose a management protocol like ssh to the rp> Internet? You wouldn't. Neither would I. I'll go poke fun at Chris. rp> OK so leaving ssh open is convenient, but if we are talking best rp> practice surely having your remote management protocols running on a rp> separate network, or at the very least filtering on a host basis so rp> that it's only listening to connects from your NOC has to be the way rp> to do this. Absolutely. It bothers me that as an ISP, we kinda have to run mail and dns servers. If there were two protocols I'd choose NOT to expose to the public network, they'd be it. I'd much rather expose ssh than bind or sendmail. ericb -- Eric Brandwine | Apart from hydrogen, the most common thing in the UUNetwork Security | universe is stupidity. ericb@uu.net | +1 703 886 6038 | - Harlan Ellison Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E
On 6 Mar 2002, Eric Brandwine wrote:
"rp" == Rob Pickering <rob@pickering.org> writes: rp> Why would you want to expose a management protocol like ssh to the rp> Internet?
You wouldn't. Neither would I. I'll go poke fun at Chris.
I can think of a few reasons, it's no more/less secure than sendmail/postfix/bind/snmpdx/...... its just another thing to monitor and upgrade when there are problems. In most people's example networks they PROBABLY run all their 'services' on virtual interfaces anyway so ssh doesn't have to listen on the same ip as bind so perhaps it's a non-issue.
rp> OK so leaving ssh open is convenient, but if we are talking best rp> practice surely having your remote management protocols running on a rp> separate network, or at the very least filtering on a host basis so rp> that it's only listening to connects from your NOC has to be the way rp> to do this.
Absolutely. It bothers me that as an ISP, we kinda have to run mail and dns servers. If there were two protocols I'd choose NOT to expose to the public network, they'd be it. I'd much rather expose ssh than bind or sendmail.
We can be an ISP or we can not be an ISP, its a business decision... the 'be an ISP' seems to make money while the 'I got big vats of fiber in the ground wanna use it for telephones?' seems to NOT make money.
On Wed, Mar 06, 2002 at 06:15:29PM +0000, Eric Brandwine wrote:
Absolutely. It bothers me that as an ISP, we kinda have to run mail and dns servers. If there were two protocols I'd choose NOT to expose to the public network, they'd be it. I'd much rather expose ssh than bind or sendmail.
You know, you can run mail and DNS servers without exposing either of those. --Adam -- Adam McKenna <adam@flounder.net> | GPG: 17A4 11F7 5E7E C2E7 08AA http://flounder.net/publickey.html | 38B0 05D0 8BF7 2C6D 110A
participants (3)
-
Adam McKenna
-
Christopher L. Morrow
-
Eric Brandwine