Sean Donelan wrote:
<snip>
Since many Microsoft patches are only legally available via the
Internet, and an ISP can not predict which servers Microsoft will use to
distribute Microsoft patches, ISPs must enable essentially full Internet
access which includes access for most worms.
<snip>
May I recommend developing an in house method for allowing the customer only
access to your servers (web, dns, proxy, etc), and then apply filters for
everything else except for tcp/80. If you wanted to be additionally paranoid,
you could even allow only established tcp/80 connections back to the customer.
Once updated, customer could establish contact to have filters removed, or an
automated web process you be created.
It's a ton of work, and there are any number of ways to do it. A lot depends on
your network. It can be done, though.
Jack
