Block all servers?

Christopher Bird seabird at msn.com
Sat Oct 11 13:17:40 UTC 2003


NAT at the end of OC12 sounds hideous indeed. That's why I would prefer
to see it as part of the modem in the house/business. I am sure (by
guesswork and not by statistics) that a very large number of users would
need relatively simple and secure systems. I guess this because of the
way I see a lot of equipment being used in the groups I talk to. Does
that mean that "one size fits all?" No of course not. Just in the same
way that one car type fits all. If it did, wouldn't Skodas be looking
great right about now?!

Of course from an ISP or other provider's point of view,
uniformity/standardization allows costs to be driven downwards. So in
order to keep costs handled, a non-customizable service is the order of
the day.

By making the NAT router a part of the cable modem at least there is a
lesser chance that a large number of people who want a simple network
connection will have any trouble at all.

Perhaps posting a security bond would be an interesting way of
overcoming some behaviors. General society appears to have strong
financial motivations ("look what I can get for free (theft) by
downloading music", etc.) Well make the standard service cheap, and add
the premium features by control of the NAT router inside the modem from
the support center. Remember that access is a privilege not a right. Of
course as soon as you attempt to control a box from outside, that is
throwing down the gauntlet to the malcommunity. So the NATRouter/Modem
combo would have to be a bit clever. That of course may drive cost
up......

As people who inhabit the network space, I think we do have some
responsibilities to encourage the directions that service provider
choose. If this isn't a good idea, what is? If we assume the following
then we are forced to think broadly:

Most PCs that people buy are configured too broadly with too many
services open and are thus vulnerable.
Most people do not want to mess with keeping their systems safe (for a
variety of reasons).
Most people have become accustomed to relatively inexpensive access
Most people have "brothers-in-law" who know a bit about computers and
can royally screw things up!
Most people know a "really bright 12 year old" who can do "very clever
things with the computer that I can't understand"
Many people assume facility with some terminology and fast typing to be
indicators of knowledge and responsibility.
Many people do the computing equivalent of throwing trash out of the car
window - i.e. not taking any responsibility for polluting the
environment.

These sociological phenomena demand that those who provide the services
provide them responsibly or face the consequences. Sadly the
consequences are societal in impact and don't just affect the providers.

How much benefit would we get if we were to reduce the number of
computers that could possibly be infected with something by 50%, 75%?
How much benefit could we get by knowing which networks were potentially
vulnerable - because they chose to open things up. 

I realize that we have a long way to go to get security. It is a bit
like when cars first came out - we could/would drive anywhere.
Eventually we agreed that we, in a given country, would drive on a
particular side of the road. There is no obviously good reason why it
should be one side or the other (as successful drivers in the UK and the
US would agree!), but pick one. Once that happened, then some of the
chaos disappeared.

There is a (possibly true) story that when telephone adoption rates were
analyzed in the 1930s, predictions were that every person in the US
would have to be a telephone operator to keep up with the manual
connecting of calls through plug-switchboards. The expected cross-over
was sometime in the 1950s. Well, with the advent of Subscriber Trunk
Dialing we are all telephone operators today! I see the same things
happening in the computing world, we are all going to have to be network
operators and sesames at some point! Sadly those interfaces are not as
easy and standard as the familiar phone keypad!

Chris
 





> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On 
> Behalf Of Petri Helenius
> Sent: Saturday, October 11, 2003 1:47 AM
> To: nanog at merit.edu
> Subject: Re: Block all servers?
> 
> 
> 
> Adam Selene wrote:
> 
> >IMHO, all consumer network access should be behind NAT.
> >
> >  
> >
> First of all, this would block way too many uses that 
> currently actually 
> sell
> the consumer network connections. "I recommend my competition 
> to do this"
> 
> Secondly, it´s very hard, if impossible to come up with a NAT 
> device which could translate a significant amount of 
> bandwidth. Coming up with one to put just a single large 
> DSLAM behind is tricky. (OC-12 level of bandwidth)
> 
> NAT devices which do OC12 or near don´t come cheap either. This is
> (fortunately) not a cost you can sink to the customer as 
> added value. "Because we lack clue and technology, we just 
> block you for anything and make you pay for it".
> 
> >However, the real solutions is (and unfortunately to the 
> detriment of 
> >many 3rd party software companies) for operating system 
> companies such 
> >as Microsoft to realize a system level firewall is no longer 
> something 
> >to be "added on" or configured later. Systems need to be shipped 
> >completely locked down (incoming
> >*and* outgoing IP ports), and there should be an API for
> >applications to request permission to access a particular port or 
> >listen on a particular port (invoking a user dialog).
> >
> >  
> >
> Don´t underestimate the painfully slow rate of change in 
> widely deployed 
> systems.
> There is a lot of software out there which dates back 15 
> years or more. 
> Can you
> afford to wait even five?
> 
> Hardly any of the issues we see today would go away if such 
> an API would 
> be enforced
> on the applications because the issues are due to the legitimate 
> applications legitimately
> talking to the network with permission.
> 
> >As for plug-in "workgroup" networking (the main reason why 
> everything 
> >is open by default), when you create a Workgroup, it should 
> require a 
> >key for that workgroup and enable shared-key IPSEC.
> >
> >  
> >
> This is not a bad idea at all. Make sure to save a copy of 
> this message 
> in case
> somebody tried to patent this.
> 
> >Currently Windows 2000 can be configured to be extremely secure
> >without  any additional software. Unfortunately you must have a 
> >*lot* of clue to configure the Machine and IP security policies it 
> >provides.
> >
> >  
> >
> The box should have a sticker "needs a resident computer mechanic" :)
> 
> Pete
> 
> 
> 





More information about the NANOG mailing list