Firewall Wizards mailing list archives

Re: outbound traffic security risk

From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Tue, 23 Mar 2004 21:59:28 +0530

On 23/03/04 11:25 -0500, Mitchell Rowton wrote:

<snip>

Ahem! ISPs are /not/ corporate providers. They should NOT be blocking
stuff (currently, NetBIOS and a bunch of MS ports exempted, and port
25
outbound, but thats a different beast.)

</snip>

Thats why i gave an example of how an ISP can't block http but should
block msrpc and sql, sounds like we are on the same page but the "Ahem!"
leads me to think you are disagreeing..?

Mostly disagreeing. Blocking is the final solution to an issue, if
nothing else works. We are on the same page, with me adding a caveat
about the default policy for ISPs and corporate networks (default allow
against default deny).

I think some ISP's which are focused toward non-technical users could
(and do) add value to their service by providing basic filtering and
protect users from the above example ports.  This should of course be
agreed upon by the customer before filtering. In most cases, most
customers, would want a minimum amount of protection.

My ISP blocks, and charges money to be unblocked. I still don't have
working ICMP and a whole lot of other crap on the network.

I really have no better ISP right now, though the market might hopefully
change with new entrants in a few months.

You shouldn't think of this as taking away your rights and freedom on
the internet to not be filtered.  I chose my ISP because I didn't want
to be filtered, and they don't filter.  But I wouldn't agree with a
general statement that ISPs should NOT be blocking stuff.  Users should
have the option of having a minimum amount of protection, they should
have the option of choosing an ISP that provides this service.  If more
users chose ISP's that provide this service then entire categories of
risks on the internet would be mitigated significantly.

I have no issues with an ISP offering to manage a firewall for the ned
user and charging for it. I have no objection to ISPs blocking ports on
request by customers.

I do have issues with general blocking of ports by ISPs by default.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

outbound traffic security risk Hilal Hussein (Mar 23)
- Re: outbound traffic security risk Paul D. Robertson (Mar 23)
- Re: outbound traffic security risk Holger Kipp (Mar 23)
- Re: outbound traffic security risk Don Kendrick (Mar 23)
- Re: outbound traffic security risk Don Kendrick (Mar 24)
- <Possible follow-ups>
- Re: outbound traffic security risk Mitchell Rowton (Mar 23)
  - Re: outbound traffic security risk Devdas Bhagat (Mar 23)
- Re: outbound traffic security risk Mitchell Rowton (Mar 24)
- Re: outbound traffic security risk Devdas Bhagat (Mar 24)