Re: Web hijacking by router - a new method of advertisement by Belkin
The router would grab a random HTTP connection every eight hours and redirect it to Belkin's (push) advertised web page. In response criticism, a Belkin product manager came forward this week to confirm the behaviour was designed into the products... Do they not realize that this has a strong possibility of breaking any web application every eight hours? What happens when a call to a site's javascript file, stylesheet, internal frame page, or XML data gets replaced by a Belkin advertisement? The site breaks and they get a support telephone call. Major class action lawsuit material, not just by every Belkin user but by every web publisher on the Internet. Adam
Re: [arin-announce] IPv4 Address Space (fwd)
and operating system would be safer sitting behind a firewall pretty much marked the end of universal end-to-end connectivity, and I don't see it An OS-level (software) firewall doesn't preclude end-to-end connectivity, and even a per-machine hardware firewall doesn't given it can pass inbound traffic through. Most servers on the Internet are also behind hardware firewalls, and they don't hinder end-to-end connectivity. Last I checked most firewalls donĀ“t make these machines safe, it might make them safer, so only two out of three malwares hit them. A probably configured firewall will protect a machine against everything but it's user, and therein lies a problem you will likely never solve. Adam
Re: Block all servers?
Unfortuantely there are enough protocols and applications which don't work well behind a NAT that deploying this on a large scale is not practical. It already is deployed upon a large scale. When I had @Home in Seattle (one of the first subscribers), I had a 10.x address. Here in Costa Rica, broadband (cable modem) connections for the entire country are behind NAT. Also what about folks who need to VPN in to their office (either via PPTP or IPSEC)? How would you take care of that situation? I use IPSEC and it works fine behind NAT. Unfortunately something like this would make the PC close to useless which is not the intent of the software provider. Thus you see everything open, security be damned. No. You default open the common and popular internet ports for outbound, and 90% of users never use anything else. As for plug-in workgroup networking (the main reason why everything is open by default), when you create a Workgroup, it should require a key for that workgroup and enable shared-key IPSEC. And joe user will understand this because. That's the point, he doesn't have to. A workgroup becomes a name + a key/phassphrase instead of just a name. What that accomplishes is completely hidden. Adam
Re: Block all servers?
Penalizing users that need (and will pay) for reasonably accessible two way communication is not the answer, and never will be. By all means, make a non-NAT IP address a optional premium service, and hope those that request it are sophisticated enought to secure their machine. Adam
Re: Block all servers?
NAT is more expensive to produce, so it should be an optional premium service, and that seems to be more and more the case. Not necessarily when you consider the cost (in bandwidth, network reliability and support staff) imposed by worms and kiddies from other networks scanning your IP space for unsecured machines. That's not even to mention the cost imposed by compromised systems. Even if NAT only reduces compromised systems by 20%, that's a cost savings. Given that most edge hardware supports NAT, the additional cost is nominal. Getting IP space allocation is not without cost either. Adam PS. Is this off-topic for NANOG? If so, I apologize. Given my networks are repeatedly the victim of distributed DoS attacks from compromised machines on other networks, it seemed relevant to me.
Re: Block all servers?
IMHO, all consumer network access should be behind NAT. However, the real solutions is (and unfortunately to the detriment of many 3rd party software companies) for operating system companies such as Microsoft to realize a system level firewall is no longer something to be added on or configured later. Systems need to be shipped completely locked down (incoming *and* outgoing IP ports), and there should be an API for applications to request permission to access a particular port or listen on a particular port (invoking a user dialog). As for plug-in workgroup networking (the main reason why everything is open by default), when you create a Workgroup, it should require a key for that workgroup and enable shared-key IPSEC. Currently Windows 2000 can be configured to be extremely secure without any additional software. Unfortunately you must have a *lot* of clue to configure the Machine and IP security policies it provides. Adam