[70244] in North American Network Operators' Group
Re: Worms versus Bots
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Thu May 6 05:46:55 2004
In-Reply-To: <6.0.3.0.1.20040504182434.02505608@pop.vt.edu>
Cc: North American Noise and Off-topic Gripes <nanog@merit.edu>
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Thu, 6 May 2004 11:45:23 +0200
To: Rob Nelson <ronelson@vt.edu>
Errors-To: owner-nanog-outgoing@merit.edu
On 5-mei-04, at 0:26, Rob Nelson wrote:
> If the person doesn't continue to do acls/nat/firewalls, they'll just
> get infected after the next hole is discovered. And yes, there are
> plenty of holes that a firewall/nat box won't fix. Still, better than
> the user only doing Windows Update on the day of install and never
> having a firewall...
I object to the idea that requiring a software firewall inside a host
is a reasonable thing to do. Why on earth would I want to run an
insecure service and then have a filter to keep it from being used?
Either I really want to run the service, and then the firewall gets in
the way, or I don't need the service to be reachable, so I shouldn't
run it. System services should only be available over the loopback
address. Now obviously this is way too simple for some OS builders, but
we shouldn't accept their ugly hacks as best current practice.
