[60591] in North American Network Operators' Group
RE: Microsoft to ship new versions with firewall enabled
daemon@ATHENA.MIT.EDU (Daniel Senie)
Thu Aug 14 13:01:38 2003
Date: Thu, 14 Aug 2003 13:00:06 -0400
To: "Matthew Watkins" <matt@idnet.net.uk>, <nanog@merit.edu>
From: Daniel Senie <dts@senie.com>
In-Reply-To: <EDECIJMHKIANIDNKNANEGEINCAAA.matt@idnet.net.uk>
Errors-To: owner-nanog-outgoing@merit.edu
At 12:39 PM 8/14/2003, Matthew Watkins wrote:
>Apple have the right idea... I'd say all the vendors need to take a
>carefully balanced approach to security in the default configurations of
>their software. Leave services exposed to the network disabled by default,
>where possible.
>
>By all means, configure firewalls by default to block all non-established
>incoming connections to low port numbers, but for heaven's sake don't also
>block access to those ports from the local subnet as well.
Define "local subnet."
Go sit in a Starbucks and use Wifi. Is the person at the next table, or
sitting on the bench outside with their laptop considered on the "local
subnet?" Do you trust that person?
This is just an example of how a policy like the one you suggest can be
dangerous.
