Re: Port 119 blocked at work and I want it opened
From: Robert R Kircher, Jr. (rrkircher@hotmail.com)
Date: 11/27/02
- Next message: Andy@nospam.co.uk: "Re: A Royal Name"
- Previous message: Andy@nospam.co.uk: "Re: Online Port Scanners -- Needs to be checked / part two!"
- In reply to:(deleted message) Leythos: "Re: Port 119 blocked at work and I want it opened"
- Next in thread: David: "Re: Port 119 blocked at work and I want it opened"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Robert R Kircher, Jr." <rrkircher@hotmail.com> Date: Wed, 27 Nov 2002 10:51:59 -0500
Leythos wrote:
> In article <IAidnYfcSoOtuXmgXTWcpw@giganews.com>,
> rrkircher@hotmail.com says...
>> Leythos wrote:
>>> In article <OETE9.10461$kO5.2042423@news1.news.adelphia.net>,
>>> davidwnh@adelphia.net says...
>>>> You can filter to restrict which servers are available. As to
>>>> abuse, you need to deal with the abusers, you don't shouldn't screw
>>>> everybody.
>>>>> I've been a developer since 78, and using usenet since the early
>>>>> 90's. I love usenet, but there is a major reason to NOT allow
>>>>> direct access to usenet - BINARY FILES.
>>>>> Usenet is great, and if it wasn't abused you would have access to
>>>>> it (I did NOT say YOU abused it).
>>>
>>> Listen, you can NOT filter which usenet groups you can connect to
>>> unless you or your ISP configure your own news server or the ISP
>>> configures their news server to your needs. The port is a port,
>>> firewall or not, it will pass all 119 traffic and it's contents -
>>> there is no "simple" way to restrict users from select groups short
>>> of your own news service/server.
>>>
>>>
>>>
>>> --
>>
>> Wait a minute... Even you stated that *only* your PC and your news
>> server can access port 119 on you home network.
>>
>> From article <jB-cnfM6Av8u5H6gXTWcoA@giganews.com>,
>>> If it helps, I have a news server in my home so that my kids can get
>>> news without all the binary/porn groups, but then I'm a little more
>>> of a tech than most home users :) I block outbound usenet access
>>> except from my workstation and my news server.
>> ^^^^^^^^^^^^^^^^^^^^^^
>>
>>
>> As you've demonstrated, you can restrict the port based on IP or IP
>> range. Put this individual or the helpdesk or the development group,
>> which should be segmented anyway, on different IP ranges. If you're
>> using a FW that attaches into MS security (no laughs) you can
>> restrict by user logon. Plenty of ways to do it if you have the
>> right FW, and take the time to set it up properly...
>>
>> I'll bet *YOU* are not restricted on that LAN you manage!!! (Don't
>> lie!!! ;-) )
>
> On my company lan (which I manage the firewall), I don't allow any 119
> outbound connections, not even for me. There is no need - the problem
> that I would expect is that people would do more than read, they would
> d/l files, images, porn, etc...
>
> As an admin we are legally responsible for what we allow to happen on
> our networks - even more so in a large company. You can access the
> newsgroups via http - be happy and do it that way.
>
I haven't seen a company prosecuted yet because an employee was caught up in
a child porn ring. The authorities go after the user...
Nobody is arguing about what you may or may not be legally responsible for
anyway, it's just a matter of how an admin goes about it. Don't be lazy.
Define a good Use Policy and then enforce it.
Oh and BTW: from first hand admin experience I can tell you that NGs are not
the top place for users to seekout and find porn... I took over a larger
network several years ago that had absolutely no use policies nor
restrictions at the firewall, and after being tipped off by a coworker, I
found one particular accountant was waiting most of his day on porn web
sites. How did I verify this, well I checked the logs of course. Once we
has the proof we dealt with the individual and of course he was relieved of
his duties... The important thing to note here is I didn't even need to be
proactive, the department knew something was up because this guy wasn't
performing to expectations. Point is you'll eventually catch the abuser
usually sooner than later, many time with out having to do any extra work...
Look I understand were you are coming from, I've seen first hand the impact
that streaming media, large binary d/l et al can have on a network, but I
still go back to my original point. Don't be a lazy admin. Seek out the
abusers, create filters based on users IP addresses, write a good use policy
with clear consequences and then enforce it. The bit of extra work up front
will be greatly appreciated by your users down the road... and in the long
run it won't really add much work load to your everyday task list...
Most importantly we admins are in place to *serve* the users... They are our
customers and we should treat them that way. All to often IT/IS departments
treat the users as the enemy and not the customer. Find a way to give the
customer what they want without compromising your network. You'll be the
company hero if you manage to do it...
-- Rob
- Next message: Andy@nospam.co.uk: "Re: A Royal Name"
- Previous message: Andy@nospam.co.uk: "Re: Online Port Scanners -- Needs to be checked / part two!"
- In reply to:(deleted message) Leythos: "Re: Port 119 blocked at work and I want it opened"
- Next in thread: David: "Re: Port 119 blocked at work and I want it opened"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
