Re: Man gets nine years for spamming
From: Leythos (void_at_nowhere.lan)
Date: 04/17/05
- Previous message: Brad Hogan: "Re: Problem with IE"
- In reply to: Michael Pelletier: "Re: Man gets nine years for spamming"
- Next in thread: Michael Pelletier: "Re: Man gets nine years for spamming"
- Reply:(deleted message) Michael Pelletier: "Re: Man gets nine years for spamming"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 17 Apr 2005 14:42:26 GMT
On Sat, 16 Apr 2005 12:48:11 -0700, Michael Pelletier wrote:
>
> Leythos wrote:
>
>> On Fri, 15 Apr 2005 23:19:26 -0700, Michael J. Pelletier wrote:
>>>
>>> What about Columbia, or Argentina or Eastern Europe. The problem with
>>> blocking countries, and why I refuse to do it, is because you are
>>> blocking legit users also. Wasn't it you who said, that using
>>> blacklists could prevent a "good" user access? And I said white list
>>> your customers and use blacklists also.
>>
>> There are two things here:
>>
>> 1) If I don't do business in a country there is no reason to provide
>> them with access to my site.
>
> Here is the problem with blocklisting countries. I travel a lot. In fact
> we are in the age of International business (let's be honest it is a
> quest for cheap labor and manufacturing). I am your customer, I travel
> to Brazil, China or whereever for business. I use a local ISP and guess
> what? I can not contact you like I normally do. Even worse I can not get
> access to the resources I need. I am thousands of miles away to boot.
> PROBLEM!!! As a customer I say "what the hell" and go to another company
> that is "more professional". You should not blacklist countries because
> we live in a World economy and have business people who travel aboard
> frequently.
>
> Again, I do not and will not, blacklist countries. It is foolish when
> there are many techniques that are equally and significantly better.
No, here's the problem - you seem to think that the world is your my
market-place, but I seem to have a better understanding of my market-place
and know where my customers and remote users are. If I understand what I
just said, I can still block subnets in foreign countries and still allow
remote connections from unblocked areas of those countries.
Now, before you misunderstand again, since I only work with US customers,
except for a couple places in India, I can safely block most foreign
countries from my US based services, and it will not have ANY impact on my
customers or my workers, even my workers that travel.
Now, again, if I understand my target audience and have any clue about my
own company and it's resources, I can safely block non-needed access to my
company without any problem.
>> 2) Black list anything you want as long as it doesn't interfere with
>> your targeted audience.
>
> Read above. The "targeted audience" is everyone. Do you really want to
> shrink your targeted audience?
Read my reply to your complete misunderstanding of the reason for blocking
- if you DO NOT PROVIDE SERVICE TO THOSE COUNTRIES you don't have any
reason to provide access to your network from them. If you're sales people
don't travel to those countries you don't need to give them access from
those countries either. What part are you unable to understand about this
concept.
There is NO SHRINKING of the target, you can't shrink the target audience
if you didn't offer services to them to begin with.
>> As I've said many times, I don't black list ALL foreign countries, just
>> major parts of ones that have made repeated attempts to exploit a
>> known/unknown flaw in a system exposed to the public.
>
> The point I am making is that you do not need to. Run secure systems.
> Stay away from windows if possible to anything on your DMZ.
Windows has nothing to do with a secure/non-secure network, Windows
servers are as simple to secure as any other server if you understand the
OS. We've had public Windows servers running at fortune 500 companies for
5+ years, running ASP and (not as long) .Net applications, without a
single compromise.
And the point you miss, another time, is that if you don't offer anything
to country X, you don't need to provide access from country X to your
network. This means that if I don't provide ANY services to country X,
don't have business work in country X, don't have employees in country X,
I can block that country WITHOUT ANY IMPACT on my business.
>>> Sorry, but blocking countries when there are clearly better ways to
>>> handle the problem is just foolish...
>>
>> So, do you let Asian countries have access to your company LAN?
>> Assuming you're smart and say no, the same reasoning applies to your
>> DMZ - if you are not targeting them for your audience you should block
>> them. It's always a good idea to restrict access from those that don't
>> need it.
>
> No. DMZ resources do not equate to LAN resources. These are firewalled
> resources that do not reside on you internal LAN. Now I have see in my
> time "potato head IT" shops that had a router with ACLS and static NAT
> entries to resources internal and claim it is a "DMZ". This type of
> setup DOES NOT have a DMZ.
>
> A DMZ is a construct consisting of a special LAN hanging off a firewall
> where the servers on the said LAN are allowed to receive Internet
> packets (new connections). The servers in the DMZ SHOULD NOT be dual
> homed back into the internal LAN (I see a lot of this mostly from
> Windows admins, sorry good windows guys). Furthermore, the DMZ LANs
> should be many.The servers are logically grouped per DMZ LAN. In other
> words web servers are located on DMZ LAN 1, Mail servers belong to DMZ
> Lan 2, etc, etc.
You're not telling me anything new, I design secure networks for a living,
ones that have passed Homeland Security audits, and the first rule of
security is to limit access to resources to those users/systems that need
access.
> Now here is the clincher. In a proper configuration. DMZ servers ARE NOT
> ALLOWED to connect to ANYTHING internal. The interface between internal
> pcs and servers to the DMZ is as restricted, almost to the same degree,
> as the interface from the Internet to the DMZ servers.
>
>
>> Just because you/anyone has an internet connection does not entitle
>> them to view a site/service because "you/anyone" wants too, it's the
>> site owner that determines who/what can access their site/service.
>>
>>
> Then construct your "services" to require a logon....
>
> The whole purpose of having a website is allow anyone to view it.
You don't really understand the internet or business if you believe the
above, and you don't do security work for a living either.
The purpose of having a website is to allow your information to be
provided to your target. The target can be as small as one user/system or
as large as the world. Only the owner of the service has a right to
suggest anything to the contrary.
> If you do
> not want people to view all or some of it, require a logon. As for
> email, I
Wrong, since you don't offer services to the world, as is the case in my
part of the discussion, there is no reason to require a user/system to
LOGON to view the public information targeted to them - that's like asking
me to logon to my cable TV before I can watch any TV.
> already told you the technique of blacklisting countries does not cut it
> for me. We work with people around the World. We have people constantly
> traveling around the World....I use other techniques that result in the
> same SPAM kill rate but WITHOUT using the "black list most of the World"
> technique.
And I never suggested that it would work for you, I said, and you need to
read this, I don't do business outside the US, Canada, GB, and India, we
block anything we don't need once we see an attempt to break into the
networks. This method does NOT IMPACT OUR BUSINESS.
Also, this has nothing to do with any specific service, it's not about
email or web or ftp, it's about the basics of security: If you don't need
to provide access to something, don't provide access to it.
> Again, if your technique works for you, use it. It does not matter to
> me. I just see it as unneeded overkill with the potential to
> un-needlessly piss off our sales people and potentially lose
> customers....
And I didn't suggest that you needed to apply it to your organization. Our
sales, customers, techs, business partners, etc... work with our systems
and networks just fine, never a problem, and never a complaint. We don't
provide services to the world, only a select portion of it, and we're very
happy with that scope.
What you should understand from all of this is that many businesses are
not global, don't need to expose their resources to large areas of the
world (geographically), and that basic security principals dictate that
you only expose what is needed. You might want to analyze your business,
where it's doing business/partners/support and determine if you really
need to provide access from attacking networks in countries where you
don't do business/etc.
As I said before, been working with systems/computers since the 70's,
doing networking and security for a long time, and never had a compromised
system/network at any location. I'll stick with my methods and processes.
-- spam999free@rrohio.com remove 999 in order to email me
- Previous message: Brad Hogan: "Re: Problem with IE"
- In reply to: Michael Pelletier: "Re: Man gets nine years for spamming"
- Next in thread: Michael Pelletier: "Re: Man gets nine years for spamming"
- Reply:(deleted message) Michael Pelletier: "Re: Man gets nine years for spamming"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
