North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: How to secure the Internet in three easy steps

  • From: Eric M. Carroll
  • Date: Sun Oct 27 14:38:25 2002

Sean,

At Home's policy was that servers were administratively forbidden. It
ran proactive port scans to detect them (which of course were subject to
firewall ACLs) and actioned them under a complex and changing rule set.
It frequently left enforcement to the local partner depending on
contractual arrangements. It did not block ports. Non-transparent
proxing was used for http - you could opt out if you knew how. 

While many DSL providers have taken up filtering port 25, the cable
industry practice is mostly to leave ports alone. I know of one large
cable company that did the right thing and implemented SMTP
authentication for their mail service.  The world would be a different
place if client to server mail submission was done in an authenticated
manner consistently across the Internet. Its amazing how many ISPs don't
implement this best practice.

Regards,

Eric Carroll

-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Sean Donelan
Sent: October 25, 2002 5:36 PM
To: Paul Vixie
Cc: nanog@merit.edu
Subject: Re: How to secure the Internet in three easy steps 



On Fri, 25 Oct 2002, Paul Vixie wrote:
> > Not only that, but unless _everyone_ implements 2 and/or 3, all the 
> > bad people that exploit the things these are meant to protect will 
> > migrate to the networks that lack these measures, mitigating the 
> > benefits.
>
> not just the bad people.  all the people.  a network with 2 or 3 in 
> place is useless.  there is no way to make 2 or 3 happen.

AOL?  I believe they proxy almost all their subscribers through several
large datacenters, and don't allow users to run their own servers.

@Home prohibited customer servers on their network, blocked several
ports, and proxied several services.

Its common for ISPs outside of the US to force their customers to use
the ISP's web proxy server, even hijacking connections which attempt to
bypass it.

As part of their anti-spam efforts, several providers block SMTP port
25, and force their subscribers to only use that provider's SMTP
relay/proxy to send mail.  Why not extend those same restrictions to
other (all) protocols?

Many corporate networks already proxy all their user's traffic, and
prohibit direct connections through the corporate firewalls.

I think its a bad idea, but techincally I have a hard time saying its
technically impossible.