[63838] in North American Network Operators' Group
Re: Block all servers?
daemon@ATHENA.MIT.EDU (Adam Selene)
Fri Oct 10 22:05:12 2003
From: "Adam Selene" <nospam@vguild.com>
To: <nanog@merit.edu>
Date: Fri, 10 Oct 2003 20:07:05 -0600
Errors-To: owner-nanog-outgoing@merit.edu
IMHO, all consumer network access should be behind NAT.
However, the real solutions is (and unfortunately to the detriment
of many 3rd party software companies) for operating system
companies such as Microsoft to realize a system level firewall
is no longer something to be "added on" or configured later.
Systems need to be shipped completely locked down (incoming
*and* outgoing IP ports), and there should be an API for
applications to request permission to access a particular port or
listen on a particular port (invoking a user dialog).
As for plug-in "workgroup" networking (the main reason why
everything is open by default), when you create a Workgroup,
it should require a key for that workgroup and enable shared-key
IPSEC.
Currently Windows 2000 can be configured to be extremely secure
without any additional software. Unfortunately you must have a
*lot* of clue to configure the Machine and IP security policies it
provides.
Adam
