[60606] in North American Network Operators' Group
RE: Microsoft to ship new versions with firewall enabled
daemon@ATHENA.MIT.EDU (JC Dill)
Thu Aug 14 14:54:36 2003
Date: Thu, 14 Aug 2003 11:44:56 -0700
To: <nanog@merit.edu>
From: JC Dill <nanog@vo.cnchost.com>
In-Reply-To: <5.2.1.1.2.20030814125836.029d75c0@mail.amaranth.net>
Errors-To: owner-nanog-outgoing@merit.edu
At 10:00 AM 8/14/2003, Daniel Senie wrote:
>At 12:39 PM 8/14/2003, Matthew Watkins wrote:
>
>>Apple have the right idea... I'd say all the vendors need to take a
>>carefully balanced approach to security in the default configurations of
>>their software. Leave services exposed to the network disabled by default,
>>where possible.
>>
>>By all means, configure firewalls by default to block all non-established
>>incoming connections to low port numbers, but for heaven's sake don't also
>>block access to those ports from the local subnet as well.
>
>Define "local subnet."
>
>Go sit in a Starbucks and use Wifi. Is the person at the next table, or
>sitting on the bench outside with their laptop considered on the "local
>subnet?" Do you trust that person?
Hold on a second, and let me ask him. :-)
>This is just an example of how a policy like the one you suggest can be
>dangerous.
He said "What's a subnet?"
heh
jc
