[c-nsp] ISP POP Location - Blocking Ports - Advice

Church, Chuck cchurch at netcogov.com
Mon Aug 2 23:18:06 EDT 2004


I began blocking these ports outbound on various customer sites a couple
years ago.  Seeing as how any legitimate business use of MS networking
over the internet will be over some encrypted means (unless the company
is trying to go out of business :), unencrypted NetBIOS is something the
world is probably better off without.  Rate-limiting ICMP echoes have
also been pretty helpful with some of these installations.  YMMV
however. 


Chuck Church
Wam!Net Government Services - D&I Team
Lead Design Engineer
CCIE #8776, MCNE, MCSE
1210 N. Parker Rd.
Greenville, SC 29609
Office: 864-335-9473
Cell: 703-819-3495
cchurch at wamnetgov.com
PGP key:
http://pgp.mit.edu:11371/pks/lookup?op=index&search=cchurch%40wamnetgov.
com

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Monday, August 02, 2004 9:15 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ISP POP Location - Blocking Ports - Advice

Hi there..

We have decided to start being more strict on what we permit our
customers to send through out system as an ISP.  Basically I'd like to
start blocking smtp traffic except to our mail servers from dynamic
addresses.  Static IP customers will still be able to send smtp traffic.

What I am wondering though is what ports are commonly blocked now on
ISP's?
Anyone care to share their lists?

We are thinking of blocking port 25, 137, 138, 139, 445 at this point.
The reason is to cut down on the crap coming from virus infected
customers.
It's easier  to slow them down than  it is to  chase thousands of
customers.
We tried  cutting some customers off last week who were obviously
infected.
They were thankful for the phone call, got their PC fixed  up at the
local shop and  then a day later got infected again.  This time around
they were not so friendly about the scenario...

Any thoughts would be most helpful... We are looking at putting access
lists at each POP site  for now and go from there...

Paul


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


----------------------------------------------------------------------------
 NOTE: As of 8/1/2004 my email address has changed to cchurch at netcogov.com
----------------------------------------------------------------------------




More information about the cisco-nsp mailing list