Re: Fw: Re: Block all servers?
On Tue, 2003-10-14 at 21:12, Fred Heutte wrote: IPSec prevents packet modification to thwart man-in-the-middle attacks. However, this strong security feature also generates operational problems. NAT frequently breaks IPSec because it modifies packets by substituting public IP addresses for private ones. Many IPSec products implement NAT traversal extensions, but support for this feature isn't universal, and interoperability is still an issue. IMHO this is a bit misleading as it implies you need some kind of special gateway with NAT traversal extensions to get IPSec to work. This is not exactly true as only AH checks the IP header. If you stick with just ESP you can re-write IPs without failing authentication. True this only works for one to one NAT. Many to one NAT will still break IPSec, even if ESP is used alone. This is a functionality issue however (IPSec using a fixed source port of 500), rather than a preventing packet modification to thwart man-in-the-middle attacks thing. And Phifer notes later that one of the critical issues with SSL VPNs is whether you want to Webify everything. For all of us (I hope), the net is much more than just port 80. Not so sure you really have to. This is true if you are running things like pop3s, imaps, etc. but you can also go with something like stunnel which is pretty close to IPSec. The biggest drawback is no native support for UDP which makes using internal DNS a bit of a bear. Cheers, C
Re: Fw: Re: Block all servers?
Chris Brenton wrote: [snip] True this only works for one to one NAT. Many to one NAT will still break IPSec, even if ESP is used alone. This is a functionality issue however (IPSec using a fixed source port of 500), rather than a preventing packet modification to thwart man-in-the-middle attacks thing. IPsec does not use port 500. IKE uses port 500/udp. IKE is an additional protocol that is widely used to establish SAs and provide keying materials for IPsec, but it is not required for a compliant IPsec implementation. In addition, most IKE implementations do not care whether the source port on a IKE packet is 500/udp or not. As I explained previously, ESP alone is un-NAT able in the general case due to the fact that it is a peer-to-peer protocol, not client-to- server, and the SPIs in either direction are unrelated. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387
Re: Block all servers?
On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote: I use IPSEC and it works fine behind NAT. Yes, it does work, on a small scale. However what if your neighbor wants to IPSEC to the same place (say you work at the same place). If both of you are NAT'd from the same IP address trying to IPSEC to the same IP address? I don't believe things will work in this instance. why not? We use it here, works fine (with certificates for auth). tschuess Stefan -- Stefan Mink, Schlund+Partner AG (AS 8560) Primary key fingerprint: 389E 5DC9 751F A6EB B974 DC3F 7A1B CF62 F0D4 D2BA pgp0.pgp Description: PGP signature
Re: Block all servers?
Stefan Mink wrote: On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote: I use IPSEC and it works fine behind NAT. Yes, it does work, on a small scale. However what if your neighbor wants to IPSEC to the same place (say you work at the same place). If both of you are NAT'd from the same IP address trying to IPSEC to the same IP address? I don't believe things will work in this instance. why not? We use it here, works fine (with certificates for auth). OK, let's do this one more time. Many-to-one NAT of a many-to-one ESP VPN does not work. (Period) Why? There is no way for the NAT device to map the ESP packets to the nodes it hides. You say, The SPI field is perfect for maintaining a translation table! It would be accept for one very big problem. IPsec is a peer-to-peer protocol. Either side may renegotiate the SAs at any time. While using IKE[0], the SPI passes the NAT device in the _encrypted_ payloads. The NAT device never sees the SPI until the ESP starts flowing. Also, keep in mind the SPI is _not_ symmetric. So, now we have two machines behind a NAT device, and both want to have an ESP VPN to the same machine. What does the NAT device do when it receives an ESP packet from the exterior end of the ESP VPN tunnel? How does it decide which of the internal ends to send it to? The SPI has nothing to do with the outgoing SPIs (if it even has seen any outgoing ESP yet). It cannot pull the SPI out of the IKE. You can try timing, if it's a new SPI, try sending it to the last one that had a IKE conversation, but that is a guess, what happens if two happen to negotiate at once? And if you guess wrong, things do not fail and recover for the VPN players. So, you cannot NAT ESP in the general case. Thus we have all of the rather grotesque kludges of wrapping the ESP in another transport layer of UDP or TCP so that the NAT devices have some port numbers to play with. If your IPsec VPN works through NAT, the NATer is making some assumptions (usually it only will support a single IPsec end point behind it which solves the who do I send the ESP to problem) or your VPN software has a Draft or vendor kludge to wrap the IPsec in something more NAT friendly. Note again that NAT above implies many-to-one NAT. This problem disappears in a one-to-one NAT configuration where only authentication and integrity issues, which can be dealt with within IPsec, come into play. If someone has figured out a way around this, I would love to hear about it. [0] The fact you don't need to use IKE to set up SAs makes the problem even more intractable. A NAT device would have to know of every possible way to configure SPIs. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED]
Re: Block all servers?
At 6:30 PM +0200 10/14/03, Stefan Mink wrote: On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote: I use IPSEC and it works fine behind NAT. Yes, it does work, on a small scale. However what if your neighbor wants to IPSEC to the same place (say you work at the same place). If both of you are NAT'd from the same IP address trying to IPSEC to the same IP address? I don't believe things will work in this instance. why not? We use it here, works fine (with certificates for auth). From what I've seen it depends on whether the NAT has specific support for IPSEC, and if that support includes support for multiple clients. The NAT box has to keep track of the mapping. I've seen NATs priced based on how many VPN clients they support at a time. See http://www.dslreports.com/faq/4638 -- Kee Hinckley http://www.messagefire.com/ Next Generation Spam Defense http://commons.somewhere.com/buzz/ Writings on Technology and Society I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's.
Re: Block all servers?
In message [EMAIL PROTECTED], Crist Clark writes: Kee Hinckley wrote: At 6:30 PM +0200 10/14/03, Stefan Mink wrote: On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote: I use IPSEC and it works fine behind NAT. Yes, it does work, on a small scale. However what if your neighbor wants to IPSEC to the same place (say you work at the same place). If both of you are NAT'd from the same IP address trying to IPSEC to the same IP address? I don't believe things will work in this instance. why not? We use it here, works fine (with certificates for auth). From what I've seen it depends on whether the NAT has specific support for IPSEC, and if that support includes support for multiple clients. The NAT box has to keep track of the mapping. I've seen NATs priced based on how many VPN clients they support at a time. See http://www.dslreports.com/faq/4638 Quoting from that, Some routers permit multiple IPSec connections through NAT by uniquely identifying tunnels via the pair of SPI numbers snagged from an IKE exchange. These identifying numbers are stored in IPSec NAT table entries to allow correct routing of inbound ESP traffic. Last time I looked, the SPIs are exchanged in an encrypted payload in IKE. Am I mistaken? The router would have to mount a successful MIM attack to do this. You're completely correct. NATs can only handle this by heuristics; they can't handle the situation where more than one host behind it is communication via IPsec with the same destination. --Steve Bellovin, http://www.research.att.com/~smb
Fw: Re: Block all servers?
The new issue of Network Magazine has a cover story that may be worth a look: SSL VPNs: Remote Access for the Masses, by Andrew Conry-Murray, which makes a pretty convincing case for the use of SSL VPNs instead of IPSec. A lot of this is still-emerging stuff and the author, to his credit, doesn't pull any punches saying so. But it does make the point that, although IPSec has many admirable design ideas, deployment is sticky. http://www.networkmagazine.com/shared/article/showArticle.jhtml?articleId15201419classroom In a similar vein is Lisa Phifer's VPNs: Tunnel Visions, How do SSL VPNs match up with their older IPSec cousins? in the August issue of Information Security: http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss21_art83,00.html Naturally, given the audience, she focuses much more on the security specifics. Of particular interest: IPSec prevents packet modification to thwart man-in-the-middle attacks. However, this strong security feature also generates operational problems. NAT frequently breaks IPSec because it modifies packets by substituting public IP addresses for private ones. Many IPSec products implement NAT traversal extensions, but support for this feature isn't universal, and interoperability is still an issue. SSL is almost as tough against man-in-the-middle attacks, without IPSec's NAT conflict. SSL rides on TCP, so it's insulated from IP and port modifications, and thus passes easily through NAT. SSL carries sequence numbers inside encrypted packets to prevent packet injection, and TLS uses message authentication to detect payload changes. And Phifer notes later that one of the critical issues with SSL VPNs is whether you want to Webify everything. For all of us (I hope), the net is much more than just port 80. fred
Re: Block all servers?
Terry Baranski wrote: That being said, NAT does break stuff and as has been mentioned, filtering is certainly possible without having to bring NAT into the mix. Microsoft assures us that the Windows firewall will be enabled by default starting with WinXP patches early next year. How easy will it be to turn it off? Will a virus be able to do it for you? I would expect most new sophisticated trojans to include this functionality. Most home users run their WinXP with Local Administrator rights anyway because othervise many activities would be more complicated to accomplish. Many turn off AV products already. I would also expect the sophisticated trojans to include NATPT like funcitionality when it becomes neccessary to accumulate the needed number of zombies for effective DDoS and other distruptive activities. We already see them utilizing the local SMTP configuration on the machine to use the relays the user is supposed to. The Road Ahead is to make DDoS and abuse mitigation more efficient and put some real security into the application architechtures without making them unusable. Pete Pete
Re: Block all servers?
On Fri, Oct 10, 2003 at 08:07:05PM -0600, Adam Selene wrote: IMHO, all consumer network access should be behind NAT. -snip- As for plug-in workgroup networking (the main reason why everything is open by default), when you create a Workgroup, it should require a key for that workgroup and enable shared-key IPSEC. These two requirements are mutually exclusive outside of a LAN environment, and if you're on a LAN, why require IPSEC? Filtering or NAT do not protect you from bad implementation or bad protocol design. Penalizing users that need (and will pay) for reasonably accessible two way communication is not the answer, and never will be. --msa
Re: Block all servers?
Adam Selene wrote: IMHO, all consumer network access should be behind NAT. First of all, this would block way too many uses that currently actually sell the consumer network connections. I recommend my competition to do this Secondly, it´s very hard, if impossible to come up with a NAT device which could translate a significant amount of bandwidth. Coming up with one to put just a single large DSLAM behind is tricky. (OC-12 level of bandwidth) NAT devices which do OC12 or near don´t come cheap either. This is (fortunately) not a cost you can sink to the customer as added value. Because we lack clue and technology, we just block you for anything and make you pay for it. However, the real solutions is (and unfortunately to the detriment of many 3rd party software companies) for operating system companies such as Microsoft to realize a system level firewall is no longer something to be added on or configured later. Systems need to be shipped completely locked down (incoming *and* outgoing IP ports), and there should be an API for applications to request permission to access a particular port or listen on a particular port (invoking a user dialog). Don´t underestimate the painfully slow rate of change in widely deployed systems. There is a lot of software out there which dates back 15 years or more. Can you afford to wait even five? Hardly any of the issues we see today would go away if such an API would be enforced on the applications because the issues are due to the legitimate applications legitimately talking to the network with permission. As for plug-in workgroup networking (the main reason why everything is open by default), when you create a Workgroup, it should require a key for that workgroup and enable shared-key IPSEC. This is not a bad idea at all. Make sure to save a copy of this message in case somebody tried to patent this. Currently Windows 2000 can be configured to be extremely secure without any additional software. Unfortunately you must have a *lot* of clue to configure the Machine and IP security policies it provides. The box should have a sticker needs a resident computer mechanic :) Pete
RE: Block all servers?
NAT at the end of OC12 sounds hideous indeed. That's why I would prefer to see it as part of the modem in the house/business. I am sure (by guesswork and not by statistics) that a very large number of users would need relatively simple and secure systems. I guess this because of the way I see a lot of equipment being used in the groups I talk to. Does that mean that one size fits all? No of course not. Just in the same way that one car type fits all. If it did, wouldn't Skodas be looking great right about now?! Of course from an ISP or other provider's point of view, uniformity/standardization allows costs to be driven downwards. So in order to keep costs handled, a non-customizable service is the order of the day. By making the NAT router a part of the cable modem at least there is a lesser chance that a large number of people who want a simple network connection will have any trouble at all. Perhaps posting a security bond would be an interesting way of overcoming some behaviors. General society appears to have strong financial motivations (look what I can get for free (theft) by downloading music, etc.) Well make the standard service cheap, and add the premium features by control of the NAT router inside the modem from the support center. Remember that access is a privilege not a right. Of course as soon as you attempt to control a box from outside, that is throwing down the gauntlet to the malcommunity. So the NATRouter/Modem combo would have to be a bit clever. That of course may drive cost up.. As people who inhabit the network space, I think we do have some responsibilities to encourage the directions that service provider choose. If this isn't a good idea, what is? If we assume the following then we are forced to think broadly: Most PCs that people buy are configured too broadly with too many services open and are thus vulnerable. Most people do not want to mess with keeping their systems safe (for a variety of reasons). Most people have become accustomed to relatively inexpensive access Most people have brothers-in-law who know a bit about computers and can royally screw things up! Most people know a really bright 12 year old who can do very clever things with the computer that I can't understand Many people assume facility with some terminology and fast typing to be indicators of knowledge and responsibility. Many people do the computing equivalent of throwing trash out of the car window - i.e. not taking any responsibility for polluting the environment. These sociological phenomena demand that those who provide the services provide them responsibly or face the consequences. Sadly the consequences are societal in impact and don't just affect the providers. How much benefit would we get if we were to reduce the number of computers that could possibly be infected with something by 50%, 75%? How much benefit could we get by knowing which networks were potentially vulnerable - because they chose to open things up. I realize that we have a long way to go to get security. It is a bit like when cars first came out - we could/would drive anywhere. Eventually we agreed that we, in a given country, would drive on a particular side of the road. There is no obviously good reason why it should be one side or the other (as successful drivers in the UK and the US would agree!), but pick one. Once that happened, then some of the chaos disappeared. There is a (possibly true) story that when telephone adoption rates were analyzed in the 1930s, predictions were that every person in the US would have to be a telephone operator to keep up with the manual connecting of calls through plug-switchboards. The expected cross-over was sometime in the 1950s. Well, with the advent of Subscriber Trunk Dialing we are all telephone operators today! I see the same things happening in the computing world, we are all going to have to be network operators and sesames at some point! Sadly those interfaces are not as easy and standard as the familiar phone keypad! Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Petri Helenius Sent: Saturday, October 11, 2003 1:47 AM To: [EMAIL PROTECTED] Subject: Re: Block all servers? Adam Selene wrote: IMHO, all consumer network access should be behind NAT. First of all, this would block way too many uses that currently actually sell the consumer network connections. I recommend my competition to do this Secondly, it´s very hard, if impossible to come up with a NAT device which could translate a significant amount of bandwidth. Coming up with one to put just a single large DSLAM behind is tricky. (OC-12 level of bandwidth) NAT devices which do OC12 or near don´t come cheap either. This is (fortunately) not a cost you can sink to the customer as added value. Because we lack clue and technology, we just block you for anything and make you pay for it. However, the real solutions
Re: Block all servers?
Didn't susan ask for this topic to move off-list? Anybody (no...not Merit) care to step up and create a nanog-issues list where such discussions can continue unmolested when the nanog topic police declare an important topic off-topic? I can understand how some operators might not want to hang out with the masses in spam-l or spam-tools, or waste their time with the noise and kooks in nanae. But these are some pretty serious problems and if we can't come up with solutions soon, the internet is pretty much totally screwed. See more below On Sat, 11 Oct 2003, Petri Helenius wrote: Secondly, it´s very hard, if impossible to come up with a NAT device which could translate a significant amount of bandwidth. Coming up with one to put just a single large DSLAM behind is tricky. (OC-12 level of bandwidth) So do the NAT closer to the edge. If you're providing DSL, do many of your customers use DSL modems plugged into their PCs (USB, PCI)?, or are you selling/leasing them DSL routers? In the very beginning, we either sold or gave PCI or USB DSL modems to our customers, but those were usually a PITA to support due to problems with windows, driver issues, hardware becoming unsupported when customers upgraded to the next version of windows, etc. Now, we only hook up DSL customers using DSL routers, and all the DSL routers we've ever used can do NAT, so there'd be no need to try to do NAT at the DSL agg router. I suspect we could selectively do NAT or not for dial-up customers on our access-servers...though I'm not sure how the very large (like AS5400, AS5800) units would fare trying to do NAT for several hundred dial-up sessions. But why all this talk of NAT? Even if we all universally deployed it on monday, it wouldn't solve the problem. All it would do is keep the spammer/hackers from turning grandma's PC into a web server/proxy. She can still catch tuesday's email virus which will cause her PC to hang out in some IRC channel or monitor some web page, and be remotely controlled for the purpose of sending spam, participating in DDoS floods...and now things just got much harder to track down. When you get complaints that a.b.c.d is participating in some kind of attack, how do you tell which of the dozens or hundreds of customers NAT'd to that IP is responsible/infected? -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Block all servers?
Unfortuantely there are enough protocols and applications which don't work well behind a NAT that deploying this on a large scale is not practical. It already is deployed upon a large scale. When I had @Home in Seattle (one of the first subscribers), I had a 10.x address. Here in Costa Rica, broadband (cable modem) connections for the entire country are behind NAT. Also what about folks who need to VPN in to their office (either via PPTP or IPSEC)? How would you take care of that situation? I use IPSEC and it works fine behind NAT. Unfortunately something like this would make the PC close to useless which is not the intent of the software provider. Thus you see everything open, security be damned. No. You default open the common and popular internet ports for outbound, and 90% of users never use anything else. As for plug-in workgroup networking (the main reason why everything is open by default), when you create a Workgroup, it should require a key for that workgroup and enable shared-key IPSEC. And joe user will understand this because. That's the point, he doesn't have to. A workgroup becomes a name + a key/phassphrase instead of just a name. What that accomplishes is completely hidden. Adam
Re: Block all servers?
Penalizing users that need (and will pay) for reasonably accessible two way communication is not the answer, and never will be. By all means, make a non-NAT IP address a optional premium service, and hope those that request it are sophisticated enought to secure their machine. Adam
Re: Block all servers?
On Sat, 11 Oct 2003, Adam Selene wrote: Also what about folks who need to VPN in to their office (either via PPTP or IPSEC)? How would you take care of that situation? I use IPSEC and it works fine behind NAT. Yes, it does work, on a small scale. However what if your neighbor wants to IPSEC to the same place (say you work at the same place). If both of you are NAT'd from the same IP address trying to IPSEC to the same IP address? I don't believe things will work in this instance. bye, ken emery
Re: Block all servers?
Also what about folks who need to VPN in to their office (either via PPTP or IPSEC)? How would you take care of that situation? IPSEC works over NATs just fine. Alex
Re: Block all servers?
Adam Selene wrote: By all means, make a non-NAT IP address a optional premium service, and hope those that request it are sophisticated enought to secure their machine. NAT is more expensive to produce, so it should be an optional premium service, and that seems to be more and more the case. Pete
Re: Block all servers?
NAT is more expensive to produce, so it should be an optional premium service, and that seems to be more and more the case. Not necessarily when you consider the cost (in bandwidth, network reliability and support staff) imposed by worms and kiddies from other networks scanning your IP space for unsecured machines. That's not even to mention the cost imposed by compromised systems. Even if NAT only reduces compromised systems by 20%, that's a cost savings. Given that most edge hardware supports NAT, the additional cost is nominal. Getting IP space allocation is not without cost either. Adam PS. Is this off-topic for NANOG? If so, I apologize. Given my networks are repeatedly the victim of distributed DoS attacks from compromised machines on other networks, it seemed relevant to me.
Re: Block all servers?
In message [EMAIL PROTECTED], Alex Yurie v writes: Also what about folks who need to VPN in to their office (either via PPTP or IPSEC)? How would you take care of that situation? IPSEC works over NATs just fine. Not in the general case, no. See draft-aboba-nat-ipsec-04.txt if you can find a copy. --Steve Bellovin, http://www.research.att.com/~smb
Re: Block all servers?
On Sat, 11 Oct 2003, Steven M. Bellovin wrote: In message [EMAIL PROTECTED], Alex Yurie v writes: Also what about folks who need to VPN in to their office (either via PPTP or IPSEC)? How would you take care of that situation? IPSEC works over NATs just fine. Not in the general case, no. See draft-aboba-nat-ipsec-04.txt if you can find a copy. This internet draft is available at: http://quimby.gnus.org/internet-drafts/draft-aboba-nat-ipsec-04.txt I can't figure out if anything happened with this draft (I'm guessing nothing went on). The draft expired on December 1, 2001. bye, ken emery
RE: Block all servers?
This internet draft is available at: http://quimby.gnus.org/internet-drafts/draft-aboba-nat-ipsec-04.txt Ken Emery wrote: I can't figure out if anything happened with this draft (I'm guessing nothing went on). The draft expired on December 1, 2001. IPSec NAT Traversal is still being standardized, but has already been implemented in a good number of products. Current drafts: http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-07.txt http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-06.txt http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-05.txt Jon Lewis wrote: But why all this talk of NAT? Even if we all universally deployed it on monday, it wouldn't solve the problem. All it would do is keep the spammer/hackers from turning grandma's PC into a web server/proxy. As well as preventing infection from worms like Blaster, and so forth. It's hard to imagine one solution solving the entire laundry list of problems. One step at a time. That being said, NAT does break stuff and as has been mentioned, filtering is certainly possible without having to bring NAT into the mix. Microsoft assures us that the Windows firewall will be enabled by default starting with WinXP patches early next year. How easy will it be to turn it off? Will a virus be able to do it for you? -Terry
RE: Block all servers?
I agree that Michael is right on. The social, psychological and financial issues are in many ways more tricky than the technical issus. However, I think there are ways to help. But first some history When I signed up for Cable broadband access several years ago, I was told, And of course you must not put a router on the network. The of course was a surprise to me. That immediately meant (at least to me) that I was going to be exposed to anything that came wandering past my (dynamically assigned) IP address. Of course I put a router in place. Was it something really good? No, it was what I could afford. A Linksys broadband router. Was it misconfigured? Probably - I am after all an applications guy not a solid network engineer. Did I get it checked out by the network guys at work? You betcha. Have I eliminated all risk? No. Have I eliminated affordable risk? yes. Since then I have created a DMZ at home (again not necessarily the most solid in the world), but at least it has the following effects: My VOIP telephone line is directly in to the DMZ - that just saves a hop. My in home wireless network is just that - in home. The NAT router that protects it has everything I can think of disabled. I have access to a couple of servers when I am traveling (both in the DMZ) so that I can access important files and test development web sites. There is in theory no public access. In practive, of course it is wide open - that's why we have DMZs I also have personal firewalls on all computers whether they travel or not. Why? Because I want to block outbound activities. I rarely see anything inbound that is blocked, but I do like the ability of my PFWs to detect outbound activities and make me confirm/deny access. That is just good hygeine. Oh btw that firewall monitors inbound email too, so it becomes a first level virus protector. Real virus protection kicks in behind that. Now what could the broadband providers do: First off, they could incorporate NAT into the DOCSIS or other compliant cable modems/DSL Modems. Make sure that the NAT router is configured so that incoming ports are all blocked. Yes that makes it hard for gaming, so there needs to be an extra capability so that gamers have to explicitly (at a fee?) get the features opened. That is only a start of course, because as soon as you do that then there are going to be vulnerabilities. However, the likelihood of infection/spewing of packets is reduced somewhat. Second, in the acceptable use policy for high speed connections, require a licence of some kind. We have licenses/permits for our cars, our dogs, our burglar alarms, for going fishing,. Why not for broadband. Actually I can see many reasons both to do it and not to do it, so this is clearly an area where debate is reasonable. Third monitor the bandwidth used (ratios on inbound/outbound) for example. Actual numbers might be better. For example, at my DMZ router, it reports the following this morning: Up time 23:50 (just less than 1 day) Bytes TX 40,612,318 Bytes RX 370,212,922 These numbers are surprisingly large. However I do run Groove at home and a lot of data is shared with people all over the world, so the TX isn't terribly surprising. The RX is monstrous though. Next stat since power on, the DMZ router has recognized 513 alerts - mostly ping requests from other Comcast users. Now that would be an interesting set of cluse if Comcast itself were able to do anything about it. Lots of Pings (against home machines) are usually indicative of some kind of problem (yeah, preaching to the choir, I know), so in this combined modem/router, I could envisage some stats gathering and reporting on usage - especially things that are somewhat suspicious. Of course the line is fine between privacy, acceptable use, and risk. The whole approach does need to be thought through pretty carefully. I now spend time talking with friends, local groups (Church, city or whatever) describing the risks. Some people even act on them. Some people ask for help cleaning up their home systems - especially to remove pop-ups, improve spam handling and keep porn away from the kids. What they often don't realize is that the actions they have taken (downloading gator or hotbar) have caused precisely the effects that they are trying to guard against. So much of my time spent delousing is running the cleanup tools (ad-aware, pest patrol, taskinfo to see what's running), enabling firewalls, recommending that people buy firewalls, instilling a use the grc tools discipline and generally doing what I can to keep the computers relatively clean. At approximately 3 hours per computer, I am not making as much headway as I would like! We therefoe have got to encourage the industry (especially the responsible leading players) to have things configured by default to make life safe. Then unsafe behavior becomes a choice rather than a default. Sorry for the length of this rant, but I wanted to point out that there are responsible
RE: Block all servers?
The TOS/AUP for most residential broadband connections already allows the ISP to shut off service or do anything they want to the customer without prior notice. It has been this way for at least 3 or 4 years, since the advent of @Home. Take a look at the TOS/AUP for Comcast, Shaw Cable, MSN DSL or similar... Second, in the acceptable use policy for high speed connections, require a licence of some kind. We have licenses/permits for our cars, our dogs, our burglar alarms, for going fishing,. Why not for broadband. Actually I can see many reasons both to do it and not to do it, so this is clearly an area where debate is reasonable.
RE: Block all servers?
I know they CAN, but the issue is do they have the mechanisms and operational capabilities of actually doing so? I would like to see my cable provider making it hard to do some of the things I do. Not because I should not be doing them, but those same holes that I exploit (hopefully in a benign fashion) can be used with malicious intent. By saying, If you want to use our service then you must deply this kind of modem/router at least makes their insistence explicit. Currently there is more arm waving than actual adherence to security policy. Thus we have many poorly configured Windows boxes accessing the internet (and the WWW) in manners which are to the detriment of everyone else. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Kuhnke Sent: Friday, October 10, 2003 7:06 PM To: [EMAIL PROTECTED] Subject: RE: Block all servers? The TOS/AUP for most residential broadband connections already allows the ISP to shut off service or do anything they want to the customer without prior notice. It has been this way for at least 3 or 4 years, since the advent of @Home. Take a look at the TOS/AUP for Comcast, Shaw Cable, MSN DSL or similar... Second, in the acceptable use policy for high speed connections, require a licence of some kind. We have licenses/permits for our cars, our dogs, our burglar alarms, for going fishing,. Why not for broadband. Actually I can see many reasons both to do it and not to do it, so this is clearly an area where debate is reasonable.
Re: Block all servers?
IMHO, all consumer network access should be behind NAT. However, the real solutions is (and unfortunately to the detriment of many 3rd party software companies) for operating system companies such as Microsoft to realize a system level firewall is no longer something to be added on or configured later. Systems need to be shipped completely locked down (incoming *and* outgoing IP ports), and there should be an API for applications to request permission to access a particular port or listen on a particular port (invoking a user dialog). As for plug-in workgroup networking (the main reason why everything is open by default), when you create a Workgroup, it should require a key for that workgroup and enable shared-key IPSEC. Currently Windows 2000 can be configured to be extremely secure without any additional software. Unfortunately you must have a *lot* of clue to configure the Machine and IP security policies it provides. Adam
Re: Block all servers?
On Fri, 10 Oct 2003, Adam Selene wrote: IMHO, all consumer network access should be behind NAT. Unfortuantely there are enough protocols and applications which don't work well behind a NAT that deploying this on a large scale is not practical. Most gamers require incoming connections. These are people who willing to pay for bandwidth so attempting to put them in the nat only box will not work. Also what about folks who need to VPN in to their office (either via PPTP or IPSEC)? How would you take care of that situation? However, the real solutions is (and unfortunately to the detriment of many 3rd party software companies) for operating system companies such as Microsoft to realize a system level firewall is no longer something to be added on or configured later. Systems need to be shipped completely locked down (incoming *and* outgoing IP ports), and there should be an API for applications to request permission to access a particular port or listen on a particular port (invoking a user dialog). Unfortunately something like this would make the PC close to useless which is not the intent of the software provider. Thus you see everything open, security be damned. As for plug-in workgroup networking (the main reason why everything is open by default), when you create a Workgroup, it should require a key for that workgroup and enable shared-key IPSEC. And joe user will understand this because. Currently Windows 2000 can be configured to be extremely secure without any additional software. Unfortunately you must have a *lot* of clue to configure the Machine and IP security policies it provides. And there lies your problem (among other places) bye, ken emery