-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
gep2(_at_)terabites(_dot_)com wrote:
On Fri, 02 Mar 2007 23:19:03 -0500
Stephanie Erin Daugherty <stephanie(_at_)ahbl(_dot_)org> wrote:
Ok... I'm putting on my Nomex suit for this reply.
Routeable addresses are not inherently less secure. NAT is not the
only way, or even a good way to secure hosts.
Securing the hosts is not the issue here. Nor, in fact, securing
clients! The fact is however that typical user desktop machines are
SAFER if just anyone anywhere on the Internet can't reach out and poke
them directly.
"Safer", but these days, NOT that much safer. Most spambots these days
DO NOT require inbound connections from the Internet to function, and
therefore a NAT doesn't help, in fact becomes the explicit hindrance you
reported.
That's fine for companies like General Motors or Ebay or Amazon. What
you're suggesting is arguably inappropriate for a 15-person company with
NO inhouse IT staff at all (say, a doctor's office). We're talking
about a company here that uses ONE single Novell server running the
whole company.
Securing the NAT so that _only_ that one single Novell server can reach
the Internet on port 25 would have most likely completely eliminated the
problem you were seeing.
Ironically, the solution we (at least initially) had to go to involved
us moving AWAY from our inhouse outgoing MTAs, and having to ENABLE the
applications at individual user desktops to route their e-mails directly
to out-of-house servers. This is neither safer, but also is MUCH slower
as viewed by the users than allowing their inhouse mail servers to
buffer such operations.
That also works to get your "critical" email out, but won't prevent the
NAT from abusing the Internet if you haven't also secured the NAT
against outbound port 25 connections.
Note that the blacklisting taking effect at E-fax, specifically (and
which suddenly prevented the company from sending out more than 500
faxes a day) happened at least three days after (TTBOMK) the infection
HAD been cleared up.
Three days _after_ you removed the listing? That seems unlikely.
(Of course, who can be sure? The blacklisting
company doesn't tell us EXACTLY what they were blacklisting us for).
Did you ask? The CBL (main component of the XBL) is pretty good at
explaining what happened.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
iQCVAwUBRemfAJ3FmCyJjHfhAQKNdQP9ECYSEdk+H/gBlKwaYKQTW3PV76JtaC0n
DvkWQNGsReewsLHsO24BTjiGG4xi9Bfwg9dkWg+UubOOT90MVh4T1tGCqwI9wkWs
TKeksZMMhB36j3fiDEQw48knhgqCjWb2rAmTsu8GXW8Rie2gsITIskknf4J1q1xB
HuIp5g1eezk=
=OHQs
-----END PGP SIGNATURE-----
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg