[LINK] RFC: "No End User Servers" Policies are brain dead (true or false)

Craig Sanders cas@taz.net.au
Wed Nov 27 10:07:11 EST 2002 

On Wed, Nov 27, 2002 at 09:24:19AM +0800, Andrew Francis wrote:
> On Wed, Nov 27, 2002 at 11:14:23AM +1100, bscott@gtlaw.com.au wrote:
> > I'd be interested to know people's views on the reasons for the ban
> > on end user servers.
> 
> I argued this once with someone who works at an ISP, and he made a
> pretty convincing case with regards to security. Apparantly, the fact
> that letting 'end users' run servers means far more security problems
> on a network (because there's more of them than business users, and
> they're less likely to administer their machines properly) is a big
> reason to ban them.

so why isn't that an issue with dialup customers?  very few ISPs place
any restrictions on what servers you can run on a dialup connection
(smtp being the exception rather than the rule - many ISPs block direct
smtp to and/or from their dialup pools because of the open-relay spam
problem).

the answer is that it's not an issue *because* 28.8Kbps or 33.6Kbps
upload is slow enough that it can't compete with their hosting products.


> When Code Red/Nimda/etc starts spreading around, some of the hardest
> hit ISPs are those with clients running unsecured Windows servers,
> which get infected and proceed to flood the ISP's network with
> traffic.

nimda etc are just as much a problem on dialup modem links as they are
on cable or adsl links.  probably even a bigger problem as there are
many more dialup users running windows than cable/adsl users.

most dialup ISPs don't block inbound port 80, nor do they have
restrictions in their contracts saying "you can't run a web server".


> If a client's running an open relay, then sooner or later the ISP will
> be fielding complaints about spam coming from its network. You can
> even get this happening:

this one's a valid concern, but not that difficult to solve.  it's not
really worthwhile for most end-users to run their own SMTP server - if
nothing else, there's a large and growing percentage of the net that
uses DUL RBLs to reject mail direct from dialup/dynamic IP addresses
anyway.  so block port 25 unless the customer a) has a static ip address
and b) proves they're not running an open relay.

where i work, we block inbound smtp to dialup customers but not for
permanent (static IP) customers....we only block smtp to the latter if
we get and verify complaints that they are running an open relay (i.e.
they are given the benefit of the doubt until proven otherwise).



> Another reason is making it trivial to break down traffic estimates.
> If you have a 100mbps pipe, and assume backchannel is 10%, then you
> can sell 90mbps incoming to 'end users' and 90mbps outgoing to people
> running webservers.

except that it's NOT sold like that.  it's sold as 28.8K, 33.6K, or 56K
for dialup, 64K or 128K for ISDN, or 256/64 or 512/128 etc for adsl, and
whatever for cable.

if customers are paying for a 512k down / 128k up ADSL link, then why
should they be prevented from actually using what they pay for?  why
shouldn't they be able to run a gameserver for friends and family
members, or a VPN between different branches of a business if they all
have DSL or cable links?

IMO, the answer is that if they allowed end-users to run their own
services, they just might figure out that amateur-quality stuff is good
enough for (some of) their needs and they don't need to pay through the
nose for their telco and/or ISP to provide similar (but professional
quality) services.

craig

-- 
craig sanders <cas@taz.net.au>

Fabricati Diem, PVNC.
 -- motto of the Ankh-Morpork City Watch

More information about the Link mailing list