RE: IPv6 NAT?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Title: RE: IPv6 NAT?
This really isn't solving my problems at all. Which is a pity since I have rather more computer knowledge than the typical home or enterprise customer that Microsoft is attempting to serve.
 
The problem isn't limited to Microsoft either. In this respect Apple is just as bad and Linux considerably worse.
 
 
First the point about my network is that the printers do not connect up to Windows boxes, they connect up to the network, which is the only logical arrangement really. I have not got the foggiest idea which operating system Brother use on their printers. But I am pretty sure its reasonably powerful and certainly not the type of thing that I would ever allow to go on the Internet directly. The task here is to configure the network so that we are sure that there is no external vulnerability that 1 requires least effort, 2 is most likely to be done correctly
 
The only tool that a consumer can purchase today that meets those needs is a firewall that cuts off inbound ports. It is a blunt instrument but it is the only one that meets the requirements.
 
 
Second, net nanny or the like really does not meet the requirements I outlined. I suggest that Microsoft take some note of these requirements since you have only spent a billion dollars buying access to the necessary technology but you are not deploying it in a form that end users could possibly use to meet their needs.
 
In the scenario I gave, the data I wish to stop the kids accessing is already on my network, net nanny is totally useless in this instance. Let us imagine that I have a configuration that consists of one Vista machine and one Home Server on which there is stored a collection of ripped DVDs of video nasties, you know The Sound of Music, Care Bears Movie etc. some of the nastiest films I have seen. I do not with the kids tastes to be corrupted by this rubbish.
 
Try setting up that configuration and take a good look at the information that the user has to work with. I would send you screen shots that make this point but the machine has just gone out of action with a hardware fault. I promise you that there is absolutely no way any competent admin could possibly be confident that the machine was configured as intended without logging in using the kids accounts to check that they were unable to see the banned movies.
 
 
When I wrote The dotCrime Manifesto: How to Stop Internet Crime, I was thinking in terms of how to provide security usability for applications such as email and the Web. Since then I have been looking at the problem of how to systematize an approach to security usability engineering.
 
The point here is not to identify one set of products as being 'worse' than others, NONE of the products I have used is any better. Security Usability is something that the entire industry has been failing on. The solution here is not 'buy a Mac'.
 
I am really not at all suprised that users cling to their +5 amulet of protection firewalls. They at least know how to use them.
 
 
The reason we see so many data breaches and lost SSNs is that the products out there in the market are ALL broken by design. They are all based on a security architecture where it is assumed that data does not move. Well with the Internet data sure does move and that has real consequences.
 
Now part of the solution is going to be heavyweight usability engineering with intensive lab testing etc. But many of the products and systems I have been looking at have faults that I believe could and should have been detected in the early design phase.
 
 
Security cannot be effective when it is provided in the form of a DIY assembly required project. But thats what the field has been doing.
 

From: Christian Huitema [mailto:huitema@xxxxxxxxxxxxxxxxxxxxx]
Sent: Friday, February 15, 2008 2:27 PM
To: Hallam-Baker, Phillip; Spencer Dawkins; Iljitsch van Beijnum; michael.dillon@xxxxxx
Cc: ietf@xxxxxxxx
Subject: RE: IPv6 NAT?

I don?t know for Linux, but the normal configuration of a print or file sharing service in a Windows home network would be to only listen on the local network, which makes it immune to ?arrival from the network?. The connection simply will not be established. Of course, the simple ?single network? solution does not work in enterprises. There are multiple solutions available to limit access to enterprise services, for example ?server and domain isolation? using IPSEC (http://technet.microsoft.com/en-us/network/bb545651.aspx). This is actually what Microsoft does use in its internal network.

 

There are multiple offers for ?parental control? services, e.g. built in Windows Vista (http://blogs.msdn.com/uac/archive/2006/04/06/570560.aspx).

 

Of course, if you are simply looking at incoming traffic load, then clearly routers can play a role by implementing a form of rate limiting.

 

From: ietf-bounces@xxxxxxxx [mailto:ietf-bounces@xxxxxxxx] On Behalf Of Hallam-Baker, Phillip
Sent: Friday, February 15, 2008 10:10 AM
To: Christian Huitema; Spencer Dawkins; Iljitsch van Beijnum; michael.dillon@xxxxxx
Cc: ietf@xxxxxxxx
Subject: RE: IPv6 NAT?

 

Ok you tell me in less than a page how someone can use just those tools to be sure that their network is going to be safe when a network worm comes in an clobbers the print server running Linux 6.2

The problems are much harder than anyone knows to solve today.

How do I set an acl on my home server to be sure that the kids cannot watch unsuitable movies stored on it from their machines while being able to watch them myself?

Try it before you respond. And that is one of the better user interfaces.


Sent from my GoodLink Wireless Handheld (www.good.com)

 -----Original Message-----
From:   Christian Huitema [mailto:huitema@xxxxxxxxxxxxxxxxxxxxx]
Sent:   Friday, February 15, 2008 09:37 AM Pacific Standard Time
To:     Hallam-Baker, Phillip; Spencer Dawkins; Iljitsch van Beijnum; michael.dillon@xxxxxx
Cc:     ietf@xxxxxxxx
Subject:        RE: IPv6 NAT?

> You know of an O/S that is not vulnerable to malware attacks? Please let me know
> the name, I haven't encountered one professionally since I was using OpenGenera
> in '95 and that was only secure because we had a more or less complete list with
> the names of every person who had ever successfully managed to learn the beast.

Very few software products can be considered perfect. However, NAT and basic statefull firewalls only protect against a specific category of attacks, the arrival of unsolicited connection requests through the network. Most mainline operating systems have built-in protection against such attacks. Windows XP-SP2 and Windows Vista certainly do. They come with a built in firewall that will, by default, prevent incoming traffic on all ports. I understand that recent Linux distributions and recent versions of OS/X have similar protections.

Attacking ports by sending random packets is very much a 2003 story. Modern malware typically works by exploiting users' naiveté, bugs in document parsers, or a combination of both. An example of user naiveté would be to ask users to download a special media player to look at frolicking bodies. An example of exploiting document parsers would be to lure users to visit a malevolent web site, and have they open a booby trapped image or movie.

The typical NAT or stateful firewall offers no protection against document parsing bugs. That is a good thing. If firewalls tried to do that, they would have to incorporate a large amount of document parsing code, and would most probably become a target for their own parsing bugs. Of course, no amount of electronics will protect against users intent on downloading a very special media player...

-- Christian Huitema



_______________________________________________

Ietf@xxxxxxxx
http://www.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]