I don’t
know for Linux, but the normal configuration of a print or file sharing service
in a Windows home network would be to only listen on the local network, which
makes it immune to “arrival from the network”. The connection
simply will not be established. Of course, the simple “single network”
solution does not work in enterprises. There are multiple solutions available
to limit access to enterprise services, for example “server and domain
isolation” using IPSEC (http://technet.microsoft.com/en-us/network/bb545651.aspx).
This is actually what Microsoft does use in its internal network.
There
are multiple offers for “parental control” services, e.g. built in
Windows Vista (http://blogs.msdn.com/uac/archive/2006/04/06/570560.aspx).
Of
course, if you are simply looking at incoming traffic load, then clearly
routers can play a role by implementing a form of rate limiting.
From:
ietf-bounces@xxxxxxxx [mailto:ietf-bounces@xxxxxxxx] On Behalf Of Hallam-Baker, Phillip
Sent: Friday, February 15, 2008
10:10 AM
To: Christian Huitema; Spencer
Dawkins; Iljitsch van Beijnum; michael.dillon@xxxxxx
Cc: ietf@xxxxxxxx
Subject: RE: IPv6 NAT?
Ok you tell me in less than a page how someone can use
just those tools to be sure that their network is going to be safe when a
network worm comes in an clobbers the print server running Linux 6.2
The problems are much harder than anyone knows to solve today.
How do I set an acl on my home server to be sure that the kids cannot watch
unsuitable movies stored on it from their machines while being able to watch them
myself?
Try it before you respond. And that is one of the better user interfaces.
Sent from my GoodLink Wireless Handheld (www.good.com)
-----Original Message-----
From: Christian Huitema [mailto:huitema@xxxxxxxxxxxxxxxxxxxxx]
Sent: Friday, February 15, 2008 09:37 AM Pacific Standard Time
To: Hallam-Baker, Phillip; Spencer Dawkins; Iljitsch
van Beijnum; michael.dillon@xxxxxx
Cc: ietf@xxxxxxxx
Subject: RE: IPv6 NAT?
> You know of an O/S that is not vulnerable to malware attacks? Please let
me know
> the name, I haven't encountered one professionally since I was using
OpenGenera
> in '95 and that was only secure because we had a more or less complete
list with
> the names of every person who had ever successfully managed to learn the
beast.
Very few software products can be considered perfect. However, NAT and basic
statefull firewalls only protect against a specific category of attacks, the
arrival of unsolicited connection requests through the network. Most mainline
operating systems have built-in protection against such attacks. Windows XP-SP2
and Windows Vista certainly do. They come with a built in firewall that will,
by default, prevent incoming traffic on all ports. I understand that recent
Linux distributions and recent versions of OS/X have similar protections.
Attacking ports by sending random packets is very much a 2003 story. Modern
malware typically works by exploiting users' naiveté, bugs in document parsers,
or a combination of both. An example of user naiveté would be to ask users to
download a special media player to look at frolicking bodies. An example of
exploiting document parsers would be to lure users to visit a malevolent web
site, and have they open a booby trapped image or movie.
The typical NAT or stateful firewall offers no protection against document
parsing bugs. That is a good thing. If firewalls tried to do that, they would
have to incorporate a large amount of document parsing code, and would most
probably become a target for their own parsing bugs. Of course, no amount of
electronics will protect against users intent on downloading a very special
media player...
-- Christian Huitema