This is a non sequitur. In what way is the blocking of incoming unsolicited connections not a "proper security measure"? What gives you (or anyone else) the right to "disable" security measures which you (or anyone else) consider "too strict"? How do you arrive at the conclusion that disabling unsolicited incoming connections to software that does not require it (and which you do not want to accept such unsolicited incoming connections) is "far less effective" than "proper security measures" (and what are those alleged "proper security measures)? Explain especially in light of built-in crapware which cannot otherwise be removed from the system because it has been "integrated" by scattering its parts (with no purpose other than to make the crapware non-removeable) into critical components so as to prevent removal without breaking the system? Please explain how expecting firewall setting to remain set as they have been deliberately set makes one a "security zealot"? If the ACLs on your Cisco router suddenly decided to change all by themselves because Cisco had decided they did not like the way you had set them, I am quite sure that you take an entirely different position!
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Mike Hammett Sent: Saturday, 2 July, 2016 12:43 Cc: nanog list Subject: Re: IPv6 deployment excuses
Security that is too strict will be disabled and be far less effective than proper security measures. Security zealots are often blind to that.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest Internet Exchange http://www.midwest-ix.com
----- Original Message -----
From: "Keith Medcalf" <kmedcalf@dessus.com> To: "nanog list" <nanog@nanog.org> Sent: Saturday, July 2, 2016 11:41:48 AM Subject: RE: IPv6 deployment excuses
Yes, the default is "on". An exception is added for EVERY SINGLE PIECE of Microsoft Crapware, whether it is needed or not (and in every single case, it is not). And if you turn those exceptions "off", then they are turned back on by Microsoft and their NSA partners for you, without your permission, whenever automatic updates run (and also at other times that I have not determined the trigger). You must continuously check that the firewall (although ON) remains configured as you configured it, or if Microsoft (and their NSA partners) have changed the configuration without your permission.
Of course, most people do not bother configuring the firewall and do not wonder why every piece of Crapware has in incoming exception, and do not bother to turn those off (including some on this list apparently). So they will never notice these nefarious doings which have been a hotbed of discussion on the Internet for many years.
And this is on the latest distribution of Windows 10 including the upcoming anniversary edition and has been that way since at least the first version of Windows 8.
Whether or not Windows 7 also behaves the same way I do not know because I never ran it.
-----Original Message----- From: Spencer Ryan [mailto:sryan@arbor.net] Sent: Saturday, 2 July, 2016 10:08 To: Keith Medcalf Cc: North American Network Operators' Group Subject: RE: IPv6 deployment excuses
Windows 8 and 10 with the most recent service packs default the firewall to on with very few inbound exemptions.
On Jul 2, 2016 11:38 AM, "Keith Medcalf" <kmedcalf@dessus.com> wrote:
There is no difference between IPv4 and IPv6 when it comes to firewalls and reachability. It is worth noting that hosts which support IPv6 are typically a lot more secure than older IPv4-only hosts. As an example every version of Windows that ships with IPv6 support also ships with the firewall turned on by default.
Just because the firewall is turned on does not mean that it is configured properly.
Every version of Windows that ships with IPv6 support also ships with the Firewall configured in such a fashion that you may as well have it turned off.
This is especially true in Windows 8 and later where the firewall is reconfigured without your permission by Microsoft every time you install any update whatsoever back to the "totally insecure" default state -- and there is absolutely no way to fix this other than to check, every single minute, that the firewall is still configured as you configured it, and not as Microsoft (and their NSA partners) choose to configure it.
All versions of Windows 8 and later whether using IPv4 or IPv6 are completely unsuitable for use on a network attached to the Internet by any means (whether using NAT or not) that does not include an external (to Windows) -- ie, in network -- statefull firewall over which Windows, Microsoft, (and their NSA partners) have no automatic means of control. If you allow UPnP control of the external statefull firewall from Windows version 8 or later, you may as well not bother having any firewall at all because it is not under your control.