[c-nsp] ISP POP Location - Blocking Ports - Advice

[james at thehamptonfamily.us]

 We block all the Microsoft NetBios stuff and Bogons. I would like to
eventually set up SMTP Auth, but that can be a support nightmare when
first setting it up. Eventually I would like to set up an intrusion
detection system so we can see what ports the new viruses are using.
 Is there a way to hook an Intrusion detection system into an Expect
script so intrusive ports automatically get added to an ACL? Or is this
not a great idea, do to possible unexpected results (blocking valid
traffic,etc)
James



> On (02/08/04 22:18), Church, Chuck wrote:
>>
>> I began blocking these ports outbound on various customer sites a
>> couple years ago.  Seeing as how any legitimate business use of MS
>> networking over the internet will be over some encrypted means (unless
>> the company is trying to go out of business :), unencrypted NetBIOS is
>> something the world is probably better off without.  Rate-limiting
>> ICMP echoes have also been pretty helpful with some of these
>> installations.  YMMV however.
>>
>
> the secure ios template has some good suggestions -  several i am
> currently using (i was only thinking of acl's earlier):
>
> uRPF is good - strict for downstream and/or customer ports, loose for
> your transit interfaces
> bogon filtering
> rate-limiting icmp, syn, udp into the network (only after several
> months of baselining and tuning)
> filtering 'bad' icmp (stuff that doesn't really have a legit use)
>
> http://www.cymru.com/Documents/secure-ios-template.html
>
> /joshua
> --
> A common mistake that people make when trying to design something
> completely foolproof is to underestimate the ingenuity of complete
> fools.
> 	- Douglas Adams -
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/