On Fri, 10 Oct 2003, Adam Selene wrote:
IMHO, all consumer network access should be behind NAT.
Unfortuantely there are enough protocols and applications which don't work well behind a NAT that deploying this on a large scale is not practical. Most gamers require incoming connections. These are people who willing to pay for bandwidth so attempting to put them in the "nat only" box will not work. Also what about folks who need to VPN in to their office (either via PPTP or IPSEC)? How would you take care of that situation?
However, the real solutions is (and unfortunately to the detriment of many 3rd party software companies) for operating system companies such as Microsoft to realize a system level firewall is no longer something to be "added on" or configured later. Systems need to be shipped completely locked down (incoming *and* outgoing IP ports), and there should be an API for applications to request permission to access a particular port or listen on a particular port (invoking a user dialog).
Unfortunately something like this would make the PC close to useless which is not the intent of the software provider. Thus you see everything open, security be damned.
As for plug-in "workgroup" networking (the main reason why everything is open by default), when you create a Workgroup, it should require a key for that workgroup and enable shared-key IPSEC.
And joe user will understand this because.....
Currently Windows 2000 can be configured to be extremely secure without any additional software. Unfortunately you must have a *lot* of clue to configure the Machine and IP security policies it provides.
And there lies your problem (among other places).... bye, ken emery