Block all servers?

• Previous message (by thread): Block all servers?
• Next message (by thread): Block all servers?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Adam Selene wrote:

>IMHO, all consumer network access should be behind NAT.
>
>  
>
First of all, this would block way too many uses that currently actually 
sell
the consumer network connections. "I recommend my competition to do this"

Secondly, it´s very hard, if impossible to come up with a NAT device which
could translate a significant amount of bandwidth. Coming up with one to put
just a single large DSLAM behind is tricky. (OC-12 level of bandwidth)

NAT devices which do OC12 or near don´t come cheap either. This is
(fortunately) not a cost you can sink to the customer as added value.
"Because we lack clue and technology, we just block you for anything and
make you pay for it".

>However, the real solutions is (and unfortunately to the detriment
>of many 3rd party software companies) for operating system
>companies such as Microsoft to realize a system level firewall
>is no longer something to be "added on" or configured later. 
>Systems need to be shipped completely locked down (incoming 
>*and* outgoing IP ports), and there should be an API for 
>applications to request permission to access a particular port or 
>listen on a particular port (invoking a user dialog).
>
>  
>
Don´t underestimate the painfully slow rate of change in widely deployed 
systems.
There is a lot of software out there which dates back 15 years or more. 
Can you
afford to wait even five?

Hardly any of the issues we see today would go away if such an API would 
be enforced
on the applications because the issues are due to the legitimate 
applications legitimately
talking to the network with permission.

>As for plug-in "workgroup" networking (the main reason why
>everything is open by default), when you create a Workgroup, 
>it should require a key for that workgroup and enable shared-key 
>IPSEC.
>
>  
>
This is not a bad idea at all. Make sure to save a copy of this message 
in case
somebody tried to patent this.

>Currently Windows 2000 can be configured to be extremely secure 
>without  any additional software. Unfortunately you must have a 
>*lot* of clue to configure the Machine and IP security policies it 
>provides.
>
>  
>
The box should have a sticker "needs a resident computer mechanic" :)

Pete

• Previous message (by thread): Block all servers?
• Next message (by thread): Block all servers?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]