[Dshield] Re: [Full-Disclosure] Port Blocking

Rodney.Meryweather@ctimi.com Rodney.Meryweather at ctimi.com
Mon Jun 30 14:07:16 GMT 2003


Well
        So far I have been sitting on the side lines and seeing a 
relatively good voley of verbage. As for the vote on the latest, the norm 
for the firewalls is definately one to be looked at. Since there are two 
norms based on theory the one that states all ports shut until needed and 
the other of all ports open until decided the need for closure. Obviously 
the first is the most widely exceted for obvious reasons in the coporate 
or basic business environment, while the other has it's merits based in a 
highly fluid environment.
        Since there are so many protocols and applicaitons that are used 
in todays world an ISP would almost certainly have to open up more than 
just a few ports of the norm. You have the VPN tunnels UDP ports 50 and 
500 and tcp 500 for remote based workers, Lotus notes, SSH, firewall 
admins that are not able to stay at work 24 x7 that require special ports 
based on vendor and a mirade of others that an ISP would certainly have to 
have a full time staff of 15 - 20. This would be needed on an around the 
clock basis to keep up with just the tracking and chages that were needed 
to be made  if they were to support there customers in the manner that a 
provider needs to stay in business.
        Rather than attempting to restrick all but the necessary ports on 
an ISP who's busniess it is to open up pipes for usage, would it not be 
better to shut the ones that are known problems and then agressively 
monitor the ones that are open. In this an ISP would be able to respond 
appropriately while giving the most flexability to its clients and not 
over inundating its staff that is almost surely overworked now.


Rodney Meryweather
HIPPA Coordinator & Security Analyst
CTI Molecular Imaging






"Deb Hale" <haled at pionet.net>
Sent by: list-bounces at dshield.org
06/30/2003 09:04 AM
Please respond to General DShield Discussion List
 
        To:     "'General DShield Discussion List'" <list at dshield.org>
        cc: 
        Subject:        RE: [Dshield] Re: [Full-Disclosure] Port Blocking


I agree also

Vote +2

Deborah F Hale
Certified Business Continuity Professional/Computer Security Specialist
BCP Enterprise, Inc
Telephone: (712) 252-0361
www.bcpenterprise.com



-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Rick Leske
Sent: Friday, June 27, 2003 12:50 PM
To: General DShield Discussion List
Subject: RE: [Dshield] Re: [Full-Disclosure] Port Blocking


I agree..

Vote +1

~Rick

> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
> Behalf Of Mrcorp
> Sent: Friday, June 27, 2003 12:10 PM - FamHost
> To: General DShield Discussion List
> Subject: Re: [Dshield] Re: [Full-Disclosure] Port Blocking
>
>
> I have been known for instigating, so here it goes...
>
> What happened to the golden security rule of "Deny everything,
> except what is truley needed."  I
> mean most ISP's User Agreements state that you are not allowed to
> run web servers, email servers
> and etc.  Therefore, only port a few ports ike TCP 80, 445 and
> perhaps one or two more are really
> needed.
>
> The second thought is, what if ISPs were like cable companies.
> What if they only allowed specific
> ports (like channels) that they seem appropriate to their users???
>
> Mrcorp
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> ___________________________________________________________________
> Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.
>
>
___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: 
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list