nanog mailing list archives
Re: Block all servers?
From: Petri Helenius <pete () he iki fi>
Date: Sat, 11 Oct 2003 09:47:02 +0300
Adam Selene wrote:
First of all, this would block way too many uses that currently actually sellIMHO, all consumer network access should be behind NAT.
the consumer network connections. "I recommend my competition to do this" Secondly, it´s very hard, if impossible to come up with a NAT device which could translate a significant amount of bandwidth. Coming up with one to put just a single large DSLAM behind is tricky. (OC-12 level of bandwidth) NAT devices which do OC12 or near don´t come cheap either. This is (fortunately) not a cost you can sink to the customer as added value. "Because we lack clue and technology, we just block you for anything and make you pay for it".
Don´t underestimate the painfully slow rate of change in widely deployed systems. There is a lot of software out there which dates back 15 years or more. Can youHowever, the real solutions is (and unfortunately to the detriment of many 3rd party software companies) for operating system companies such as Microsoft to realize a system level firewallis no longer something to be "added on" or configured later. Systems need to be shipped completely locked down (incoming *and* outgoing IP ports), and there should be an API for applications to request permission to access a particular port or listen on a particular port (invoking a user dialog).
afford to wait even five?Hardly any of the issues we see today would go away if such an API would be enforced on the applications because the issues are due to the legitimate applications legitimately
talking to the network with permission.
This is not a bad idea at all. Make sure to save a copy of this message in caseAs for plug-in "workgroup" networking (the main reason whyeverything is open by default), when you create a Workgroup, it should require a key for that workgroup and enable shared-key IPSEC.
somebody tried to patent this.
Currently Windows 2000 can be configured to be extremely secure without any additional software. Unfortunately you must have a *lot* of clue to configure the Machine and IP security policies it provides.
The box should have a sticker "needs a resident computer mechanic" :) Pete
Current thread:
- Re: Block all servers?, (continued)
- Re: Block all servers? Alex Yuriev (Oct 11)
- Re: Block all servers? Steven M. Bellovin (Oct 11)
- Re: Block all servers? ken emery (Oct 11)
- RE: Block all servers? Terry Baranski (Oct 11)
- Re: Block all servers? Petri Helenius (Oct 12)
- Re: Block all servers? Majdi S. Abbas (Oct 10)
- Re: Block all servers? Adam Selene (Oct 11)
- Re: Block all servers? Petri Helenius (Oct 11)
- Re: Block all servers? Adam Selene (Oct 11)
- Re: Block all servers? Petri Helenius (Oct 11)
- Re: Block all servers? Petri Helenius (Oct 10)
- RE: Block all servers? Christopher Bird (Oct 11)
- Re: Block all servers? jlewis (Oct 11)
- Re: Fw: Re: Block all servers? Chris Brenton (Oct 15)
- Re: Fw: Re: Block all servers? Crist Clark (Oct 15)