RE: Operational impact of filtering SMB/NETBIOS traffic?
From: Shawn McMahon [mailto:smcmahon@eiv.com] Sent: Sunday, November 19, 2000 10:08 AM
So you're hypothesizing that this customer will:
1) Be behind a firewall that blocks ssh.
Sometimes ... been there ... too often.
2) Be behind a firewall that DOESN'T block SMB.
Usually the case.
3) Not be in a position to have that policy changed.
Almost always the case with a client.
4) Not be violating his corporation's policies when he connects through you.
Covered by NDA ... no problem. Besides, corporate policy enforcement is not part of the transit provider contract.
On Sun, Nov 19, 2000 at 10:31:06AM -0800, Roeland Meyer wrote:
1) Be behind a firewall that blocks ssh.
Sometimes ... been there ... too often.
2) Be behind a firewall that DOESN'T block SMB.
Usually the case.
3) Not be in a position to have that policy changed.
Almost always the case with a client.
4) Not be violating his corporation's policies when he connects through you.
Covered by NDA ... no problem. Besides, corporate policy enforcement is not part of the transit provider contract.
Roeland, I doubt that you can name me a single case where all of the following are true: The firewall blocks outbound ssh. The firewall allows inbound SMB. The customer cannot get that policy changed. The customer is not violating his company's policies by connecting his PC to the company network through the internet. All four of those have to be true for your example to be meaningful. No sane network administrator blocks ssh but allows SMB. That's like locking your 2nd-floor windows but leaving your 1rst-floor doors wide open. I agree with you that most firewalls block ssh; I do not agree that most firewalls don't block SMB, as you've stated. I in fact think that the number of firewalls that don't block SMB but do block ssh is so small as to be statistically insignificant. Please name me a single Fortune-1000 company that blocks outbound ssh but not inbound SMB. Short of setting your firewall up this way for the express purpose of providing an example, I doubt you can even name a business listed on any stock exchange anywhere that does this; and if you can, I bet their admin will fix the problem after you do.
participants (2)
-
Roeland Meyer
-
Shawn McMahon