Brian Bruns asserts that there are lots of home users
connecting to their office Exchange servers without VPNs,
and that therefore blocking the Microsoft ports was bad.
While I agree with his point that you shouldn't do it
without documenting what you are or are not blocking,
I'm really surprised to hear the assertion that people are
leaving unfirewalled Exchange servers out on the net.
Is this actually common? /shudders...
* billstewart@att.com (Stewart, William C (Bill), RTSLS) [Mon 27 Oct 2003, 07:27 CET]:
I'm really surprised to hear the assertion that people are
leaving unfirewalled Exchange servers out on the net.
Is this actually common? /shudders...
I, for one, strongly support your proposal of blocking connections
towards port 25 on Exchange servers Internet-wide.
Kind regards,
-- Niels.
It's true. I don't know if it's prevalent, but you'd be amazed at how
many small shops are putting exchange on the public internet using the
spooky windows ports to attach to it.
IMHO the best solution to most of these problems is education.
We implemented an IDS system. The ROI comes from the inbound attacks
being detected/prevented/shunned. But it's also listening to the
outbound stuff, so when we see that a customer has the flavor of the
week, we cut him off, give him a call and some friendly advice, and
everyone's happy. When we see IRC joins and port scans from a customer
server, we give him a call, advise him that he's been rooted, and offer
to assist in his recovery (can you say business opportunity, folks?).
Blocking ports is fine as long as you let people know what you're
blocking and why, offer alternative solutions and offer to unblock if
it's an absolute requirement. Often, once properly educated about the
risks, a lesser experienced admin will be excited about the opportunity
to do it the more secure way, and will begin preparations, so I've found
the "unblock" is usually temporary.
I believe the answer is for all providers to do this -- monitor outbound
traffic with IDS, consider it a business opportunity to offer managed
services to your customers. Resell virus software, firewall units, and
most importantly, education. Your customers will appreciate it, believe
me.
-Bob
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Stewart, William C (Bill), RTSLS
Sent: Monday, October 27, 2003 1:27 AM
To: nanog@merit.edu
Subject: Re: ISPs' willingness to take actionBrian Bruns asserts that there are lots of home users connecting to
their office Exchange servers without VPNs, and that therefore blocking
the Microsoft
ports was bad. While I agree with his point that you shouldn't do it
without documenting what you are or are not blocking, I'm really
surprised to hear
the assertion that people are leaving unfirewalled Exchange servers out
on the net.
Stewart, William C (Bill), RTSLS wrote:
I'm really surprised to hear the assertion that people are
leaving unfirewalled Exchange servers out on the net.
Is this actually common? /shudders...
If that causes you to shudder I won't tell you the extend of the Exchange Servers I have found on the internet to date.
The problem is more that there is no 'easy' VPN solution, and without it you have the situation of companies making Exchange accessable in a semi-unfirewalled state (semi in that some ports are firewalled however the Microsoft ports are not).
/ Mat
PS: Some of the worst are in the SORBS database because they couldn't even work out how to secure them against simple relay.
I'm really surprised to hear the assertion that people are
leaving unfirewalled Exchange servers out on the net.
Is this actually common? /shudders...
I don't think that the small shops know any better. It's
a matter of education, and in most of the cases I've seen
the education has been painful.
VPN technologies are either too weak, like PPTP, too
expensive or difficult to grasp like IPsec, or too new
like the HTTPS tunnels.
I don't recall the source, but it was recently reported
that 40% of the exchange server base is still on the v5.5
platform. Using that as a general indication, many of
these shops probably won't plan to upgrade anytime soon.
-John
This is definitely a business opportunity for any ISPs that wish to take advantage of it... Hire clueful abuse desk people, set up a good IDS, run spamassassin on your mail servers, and offer free antivirus software to the broadband connected bare win32 PCs. I am sure midsize ISP marketing departments will be able to brand this with a slick name and print brochure or TV commercial.
"Tired of spam and junk on the internet? Sick of Pop-ups? Worried about the spread of worms and viruses? We're better than the competition, and here's why...!"
apparently so... reference long discussions on nanog regarding blocking
welchia/nachi... People even, SHOCKER, use smb shares over the internet
without vpns or firewalls 
Would you mind sharing some details on this, Bob? I've been thinking about
implementing IDS, but don't know the field well.
/kenw
Ken Wallewein CDP,CNE,MCSE,CCA,CCNA
K&M Systems Integration
Phone (403)274-7848
Fax (403)275-4535
kenw@kmsi.net
www.kmsi.net
I can verify this as well. We block all windows ports, in and out, and
have a few clients that we've had to put exclusions in the filters for. Get
this, they're in the US, their Exchange server is in the UK, and instead of
doing a VPN between their office (of 20 employees) and the remote office,
they all use the UK's WINS Server and attach to the Exchange server through
a NAT router. The only reason so far that I've been able to gleam why they
don't do a VPN was that the IT consultant for the parent company suggested
it and this local supervisor doesn't like him so won't do anything he
suggests, even if it's good advice.
We have another client who hosts an exchange server for a few remote users
and I finally got them to at least use PPTP when Road Runner blocked 135-139
ports (and their remote users are all @ home on RR).
william
Dunno about HTTPS; I prefer to avoid opening _any_ inbound ports through my
firewalls, since my clients are typically too small to afford good stateful
inspection, and I dislike server-based firewalls.
VPNs, however, are not the problem they used to be. I use Netopia R910s
and 3381-ENTs, which are cheap and provide both PPTP and IPsec endpoints,
with or without encryption. They're reasonably easy to configure (good
documentation and good support), and work just fine with Microsoft's
built-in Windows VPN clients.
Yes, I know PPTP isn't as strong as IPsec. But it's certainly more than
strong enough to keep out the riff-raff, and that's all we need here.
This allows me to provide secure, low-cost remote network access to and
between clients' LANs without any DMZs or pinholed routers. And I tell any
client who really wants to provide services to the Internet at large, that
they're far better off to contract the service with an ISP, who will almost
certainly do the job both better and cheaper.
Hey, I make good money doing this; so can you!
I don't see any good justification for people to treat the Internet like
their own back yard. But is bandwidth really so cheap that ISPs don't have
any stake in conserving it?
/kenw
Ken Wallewein CDP,CNE,MCSE,CCA,CCNA
K&M Systems Integration
Phone (403)274-7848
Fax (403)275-4535
kenw@kmsi.net
www.kmsi.net
Date: Mon, 27 Oct 2003 20:06:25 +1000
From: Matthew Sullivan
PS: Some of the worst are in the SORBS database because they
couldn't even work out how to secure them against simple
relay.
"What's an open relay?"
Exact quote from a local MCSE-happy "consultancy". I expect
there are other such screwballs installing trouble elsewhere.
OT: Does MCSE+I address real operational issues?
Eddy
John Ferriby wrote:
I'm really surprised to hear the assertion that people are
leaving unfirewalled Exchange servers out on the net.
Is this actually common? /shudders...I don't think that the small shops know any better. It's
a matter of education, and in most of the cases I've seen
the education has been painful.
In most cases it isn't the even the "shops",
it is the "suits" who cut the check, -insisting-.
"In XYZ megacorporation we ran Xchange... harrumph"
So, if you know how to use a Hammer,
every problem is just another nail.
Including the nail with the "neat spirals" down the
side.....
VPN technologies are either too weak, like PPTP, too
expensive or difficult to grasp like IPsec, or too new
like the HTTPS tunnels.
Breaking out an old saying, and reapplying:
Something Old [IPChains],
Something New [HTTPS],
Something Borrowed [AIX/Linux],
Something Blue [RS-6000].
YMMV, adjust to "suit" conditions,
or is that "suit conditions" ?
:P
"You can't Hack that to which you cannot Connect."
I don't recall the source, but it was recently reported
that 40% of the exchange server base is still on the v5.5
platform. Using that as a general indication, many of
these shops probably won't plan to upgrade anytime soon.
A study of suits in the industry shows better than 77%
will suggest Xchange when asked for a safe reliable email
application server. Another study will show almost -none-
(< 5%) of them will have actual "hands on" experience
-administrating- said server....
or -any- experience other than that of an end user.
Interestingly the majority of suits will try to drive the "neat nail with the
spirals" into the wood, with the hammer, for some reason.
Strangely, about 43% will -claim- success at the attempt, irrespective,
fudging the paperwork for appearances.
Go figure!
:\
-John
FYI:
Statistics show that the same personality characteristics
that make for an excellent liar, also makes for a good leader.
So much so, it can be said, "Most Good Leaders are Excellent Liars".
(FWIW, Statistics -also- show that almost 70% of them had to -cheat- to
get their college degree...)
Well, that certainly go -miles- in explaining politics, eh ?,
Pardon, I digress... 
And finally, a study demonstrated, "The more knowledgeable of the field
(computers) you are, the more likely you are to be humble when
proffering your opinion."
Conversely, it was also been demonstrated, The -=less=- knowledgeable you are
in the industry, the more likely you are to accept your own opinion as
the "end all", or "authoritative" on the subject.
:*
.TIA.
PPS: Sadly, Only -some- of the above statistics are made up.
:O :* 
Believe it or not, there are. When I ran a large network at an unnamed
ISP, we ran graphing on certain types of traffic, and an awful lot of our
business customers were doing this - with their home users accessing their
corp exchange servers with no VPN. The only thing I could guess is that
they weren't willing to hire someone to do things right.
There were certain situations why I had to do this personally. At the time,
when I took over, there was no Exchange admin, and I was rather clueless on
how to manage Exchange, so for quite a while I stumbled through trying to
get things working correctly and properly securing it (and several times
severely broke it). It was several months before I felt comfortable
adjusting the main setup of the server so that it would work fine on my VPN
hookup from the office network to the house. Its alot different now that I
am familiar with Exchange.
I was trying to get rid of exchange, but with the fact our corp office was a
bunch of idiots who had no idea how to use anything else but outlook, made
it nearly impossible to switch to a pure pop3/smtp setup with an online
calendar and shared address book.
"What's an open relay?"
thats not really covered in the exchange test... and +I doesn't require
exchange test, nor does MCSE...
Exact quote from a local MCSE-happy "consultancy". I expect
there are other such screwballs installing trouble elsewhere.OT: Does MCSE+I address real operational issues?
only if your operation requires MCSE and I I suppose... Who would do that
nutty thing? Oh... most of the "I" bummer.
This is definitely a business opportunity for any ISPs that wish to take
advantage of it... Hire clueful abuse desk people, set up a good IDS, run
spamassassin on your mail servers, and offer free antivirus software to
the
broadband connected bare win32 PCs. I am sure midsize ISP marketing
departments will be able to brand this with a slick name and print
brochure
or TV commercial.
* But customers of broadband ISP aren't going to want to pay more than $40 a
month for any such thing you add, and just how clueful do you want help desk
people (I don't think you meant abuse desk ... there probably isn't even
one) ? $20 an hour? $26 an hour? That isn't gonna happen. And the PRINT and
Commercials cost money as well. Which is fine for signing up new customers
... and there is always that customer churn.
You can say you raised the bill because you added IDS, and Spamware, and
Virusware, and because they get free AV and Firewall software ... and the
majority of customers are going to have a fit. They think the whole thing is
the responsibility of the ISP at the current rate (or even cheaper!). "You
let that virus come into my computer" ... "It came over YOUR network!!!!".
"Tired of spam and junk on the internet? Sick of Pop-ups? Worried about
the spread of worms and viruses? We're better than the competition, and
here's why...!"
* Because we're more expensive 
>We implemented an IDS system. The ROI comes from the inbound attacks
>being detected/prevented/shunned. But it's also listening to the
>outbound stuff, so when we see that a customer has the flavor of the
>week, we cut him off, give him a call and some friendly advice, and
>everyone's happy. When we see IRC joins and port scans from a customer
>server, we give him a call, advise him that he's been rooted, and offer
>to assist in his recovery (can you say business opportunity, folks?).
>
>Blocking ports is fine as long as you let people know what you're
>blocking and why, offer alternative solutions and offer to unblock if
>it's an absolute requirement. Often, once properly educated about the
>risks, a lesser experienced admin will be excited about the opportunity
>to do it the more secure way, and will begin preparations, so I've found
>the "unblock" is usually temporary.
* I love that wishful thinking. But I kept seeing the same experienced
admins (or so they said) with the same spam complaints, pointing at their IP
Address (even after it was changed). And home users who said they got rid of
the virus but it was still there pumping away just like before you called
them.
We had some users that were happy we had cut them off, and told them that
they had a problem (virus or otherwise).