RE: Microsoft to ship new versions with firewall enabled
ipchains and similar firewalls are indeed far superior. I manage "real" firewalls as part of my responsibilities. However the new microsoft policy will help protect the network from Joe and Jane average who buy a PC from the closest "big box" store and hook it up to their cable modem so they can exchange pictures of the kids with the grandparents in Fla. This is the class of users who botnet builders dream about because these people do not see a computer as a complex system which _requires_ constant maintenance but as a semi-magical device for moving images and text around. ---- I don't believe that many people really see ipchains as a real viable firewall. I think it is awesome, but in many corporations simply mentioning it gets you a stern eyeing. Of course these corporations can spend tons of money on Checkpoint and PIX boxen. -Drew
The checkpoint and Pix Boxen are what we use here. But we also use ipchains to secure things at a host level. Scott C. McGrath On Thu, 14 Aug 2003, Drew Weaver wrote:
ipchains and similar firewalls are indeed far superior. I manage "real" firewalls as part of my responsibilities.
However the new microsoft policy will help protect the network from Joe and Jane average who buy a PC from the closest "big box" store and hook it up to their cable modem so they can exchange pictures of the kids with the grandparents in Fla. This is the class of users who botnet builders dream about because these people do not see a computer as a complex system which _requires_ constant maintenance but as a semi-magical device for moving images and text around.
----
I don't believe that many people really see ipchains as a real viable firewall. I think it is awesome, but in many corporations simply mentioning it gets you a stern eyeing. Of course these corporations can spend tons of money on Checkpoint and PIX boxen.
-Drew
However the new microsoft policy will help protect the network from Joe and Jane average who buy a PC from the closest "big box" store and hook it up to their cable modem so they can exchange pictures of the kids with the grandparents in Fla. This is the class of users who botnet builders dream about because these people do not see a computer as a complex system which _requires_ constant maintenance but as a semi-magical device for moving images and text around.
But that's exactly what a consumer PC is! An appliance (just like a toaster) for exchanging pictures, sending email, balancing the checkbook, paying bill, play games, etc. The average Joe doesn't care why the thing works. But he does notice if it doesn't work as expected. Then he'll call tech support or get the neighbours kid to help. He may never notice that the box is has been compromised and DoSs his favorite website or relays SPAM to millions of fellow Joes. That's reallity! The more broadband there is, the worse the problem becomes. I absolutely agree with the statement that the network should be transparent. No blocked ports, no filtered content. What goes in one end comes out the other or is delivered to the intended recipient in between. Exceptions are temporary measures to reduce or eliminate harmful traffic that impeded network performance or otherwise compromise the network design goals. Having said that, customers of ISPs have great variety of needs. On one hand is the transport of transit data. This is truly a gigo (garbage in, garbageout) situation where traffic should flow unhindered and in its entirety. On the other hand there is the residential ISP market. I don't think it's safe to let a residential PC sit on an internet connection and have pass traffic to and from it without inspection. ISPs need to wake up and offer a managed internet service. Where the ISP takes the initiative to provide filtered internet to residential customers. Turn on firewall features in your cable box or make those small NAT routers part of the service offering. Bashing any OS vendor isn't the solution. All OS have exploits. The *NIX crowd is just a lot more technically inclined and a lot more aware of network security than your average Windows user. So instead of beating up on OS vendors or crippling the network, how about crippling the devices that are the root of the problem??? Adi
participants (3)
-
Adi Linden
-
Drew Weaver
-
Scott McGrath