John Markoff reports in the New York Times that Microsoft plans to change
how it ships Windows XP due to the worm. In the future Microsoft will
ship both business and consumer verisons of Windows XP with the included
firewall enabled by default.
Wouldn't it make more sense to ship with all of the services disabled?
I mean, if the role of the firewall is to block packets to weak services,
wouldn't it be simpler to just disable the damn services since they aren't
going to be usable anyway?
'Firewall' is more buzzword compliant.
This doesn't even begin to address the fact that the firewalling included
in windows is nowhere near as functional as the firewalling in other OSes
(such as FreeBSD or Linux).
ipchains and similar firewalls are indeed far superior. I manage "real"
firewalls as part of my responsibilities.
However the new microsoft policy will help protect the network from Joe
and Jane average who buy a PC from the closest "big box" store and hook it
up to their cable modem so they can exchange pictures of the kids with the
grandparents in Fla. This is the class of users who botnet builders dream
about because these people do not see a computer as a complex system which
_requires_ constant maintenance but as a semi-magical device for moving
images and text around.
Scott C. McGrath
Wouldn't it make more sense to ship with all of the services disabled?
Yes it would - at least to US - but that would inevitably create a load
for the Support desk. However as Microsoft charge for end-user support
I wouldn't put it past them thinking along those lines. I hope there's
nobody from Microsoft reading this list ... that might give them ideas!
if the role of the firewall is to block packets to weak services,
wouldn't it be simpler to just disable the damn services since they
aren't going to be usable anyway?
That wouldn't make sense at all. What that would do is give the user
a false sense of security: it is just as important to block activities
by unauthorised programs ("trojans" etc) as it is to protect services
installed as part of the operating system.
What I do like in the latest release of Zone Alarm Pro is that it will
stop ANY program from connecting outbound on Port 25 unless that program
has been specifically authorised to send mail. It was quite informative
to see which programs were trying to mail information back to their base!
Apple have the right idea... I'd say all the vendors need to take a
carefully balanced approach to security in the default configurations of
their software. Leave services exposed to the network disabled by default,
where possible.
By all means, configure firewalls by default to block all non-established
incoming connections to low port numbers, but for heaven's sake don't also
block access to those ports from the local subnet as well.
How would your users cope if all their shared printers and file servers
suddenly became inaccessible because NetBIOS was universally blocked by new
operating system "security features"? I'd hazard a guess that after they've
called their ISP support team a couple of hunderd times, they'll just switch
the firewall off...
Your firewall rules should automatically open ports when services are
explicitly enabled, and should be able to cope with laptops roaming between
home and office where the local subnet addresses may change. If the firewall
doesn't detect this, then you're going to cause a whole new world of support
problems.
- Matt
Ah, no.
There are many services that ARE useful on the local machine, which may not need to listen to the outside world in all configurations. While I think the intent of your question was reasonable, the better way to phrase it would be:
"Wouldn't it make more sense to ship products with services listening only on loopback interfaces, rather than listening on all interfaces?"
The same exact issue applies to every operating system. Indeed, some vendors are dealing with this well. RedHat changed the default configuration of sendmail in RH9 to listen only on 127.0.0.1. The user can change that to listen to the outside IF the machine in question has a need to listen (i.e. it really was intended to me a mail server). This approach is to be commended, and should be followed for other services that may be necessary to run on a local machine, but which need not be reachable from outside the machine.
Define "local subnet."
Go sit in a Starbucks and use Wifi. Is the person at the next table, or sitting on the bench outside with their laptop considered on the "local subnet?" Do you trust that person?
This is just an example of how a policy like the one you suggest can be dangerous.
Richard Cox wrote:
> Wouldn't it make more sense to ship with all of the services disabled?
Yes it would - at least to US - but that would inevitably create a load
for the Support desk. However as Microsoft charge for end-user support
I wouldn't put it past them thinking along those lines. I hope there's
nobody from Microsoft reading this list ... that might give them ideas!
But who actually calls Microsoft for support? Bob and Beth Luser call their
OEM, DELL, Gateway, Sony, Compaq, etc., not Microsoft.
And I think the EOMs are getting off a little easy in all of this. Microsoft
distributes their product to OEMs who have a fair a bit room to customize
the default settings (all of the monopolistic arm twisting involving hiding
IE icons, installing other web browsers, etc., ignored for now). How much
you wanna bet if Microsoft distributes with the firewall enabled, OEMs will
turn around and _disable_ it in the installation they sell? They are the
ones who want to cut down the support calls. And they don't want to lose
business to a competitor who ships with all of the bells-n-whistles turned
back on because Bob and Beth are convinced the computer they got was "broken"
because disabled (mis)features were not enabled out of the box.
On the other hand, OEMs can be the Good Guys here and take the lead
ahead of Mickeysoft and firm up the loose default setting they get from
Microsoft. DELL has promised to do this... but I still don't know if
their press releases will live up to reality. If any NANOGers out there
make purchasing decisions about PCs with Windows, I hope you direct your
business towards OEMs who do sell better secured distributions or demand
that the OEMs do so.
Apple have the right idea... I'd say all the vendors need to take a
carefully balanced approach to security in the default configurations of
their software. Leave services exposed to the network disabled by default,
where possible.By all means, configure firewalls by default to block all non-established
incoming connections to low port numbers, but for heaven's sake don't also
block access to those ports from the local subnet as well.Define "local subnet."
Go sit in a Starbucks and use Wifi. Is the person at the next table, or sitting on the bench outside with their laptop considered on the "local subnet?" Do you trust that person?
Hold on a second, and let me ask him. 
This is just an example of how a policy like the one you suggest can be dangerous.
He said "What's a subnet?"
heh
jc
Not being an XP user I haven't confirmed this personally, but I'm told that when an XP box with the latest updates/packs/whatever has IPv6 turned on, the included IPv6 "firewall" is automatically enabled with all inbound connections blocked. Apparently this change was made when they started including the p2p kit. I did recently see a case where an XP machine refused to answer IPv6 pings, and suspect that this was behind it. . .
Bill.
Zone Alarm Pro is very stupid as well. When a machine makes an outbound
connection attempt, yes, you'll see a dialog that pops up asking you
whether to allow that SINGLE connection or not, I guess this is what
you mean...
BUT on every single occasion I get that dialog box, it's telling me
that the program is trying to access my ISP's DNS servers, which is
correct, I click yes to allow that SINGLE connection, and it lets
the program go ahead and connect to port 22 (putty is the application
in this instance), instead of asking me about port 22 next.
Reasons why this is bad?
A) Semi-savvy user sees 'DNS' and their ISP's nameservers and clicks
yes not knowing it's a trojan trying to resolve the hostname for
trojan base.
B) Trojanned program operates semi-normally, makes the initial
connection to the proper host, you ok it with ZoneAlarm because it
looks legit, but ZoneAlarm goes ahead and lets the program connect
to whatever it wants after the inital OK, (example scenario: buffer
overflow), so the trojan connections are concealed.
C) It's bothersome. Ask the user every time they fire up the program
whether they want to let it connect to something, and they're going
to click the "please don't ask me about this crappy program ever
again" checkbox, and be done with it, again, concealing trojan
connections in the event the program gets modified later down the
road.
On the other hand, OEMs can be the Good Guys here and take the lead
ahead of Mickeysoft and firm up the loose default setting they get from
Microsoft. DELL has promised to do this... but I still don't know if
their press releases will live up to reality. If any NANOGers out there
make purchasing decisions about PCs with Windows, I hope you direct your
business towards OEMs who do sell better secured distributions or demand
that the OEMs do so.
Wouldn't really matter. NANOGers run networks for the most part, not
computer clubs, college classes, afterschool programs, IT departments,
or hair salons, where most computer-buying decisions are made.
People want value and functionality without having to deal with
complicated details like output wattage of power supplies or say
something like security.
But at the same time, everyone has some sort of theory about a
Microsoft conspiracy and why Windows Update shouldn't be allowed to
automatically update machines instead of prompting users, resulting
in patches not being applied month after month until some worm comes
out and makes you work overtime.
At which point a bunch of you run out and buy 'bad guy' paint and
dump bucketloads all over Microsoft while promoting your favorite OS.
*shrug*
Anyone know whats up with the big power outage in Ontario Canada ?
---Mike
I just lost 80 circuits (Voice and Data), across multiple states on the
East Coast in the last 10 minutes. Is there a Northeast power outage or
fiber cut that anyone knows about?
Any info would be appreciated...
-Aaron
From CNN:
NEW YORK (CNN) -- A major power outage simultaneously struck several large
cities in the United States and Canada late Thursday afternoon.
Cities affected include New York; Boston, Massachusetts; Cleveland, Ohio;
Detroit, Michigan; Toronto, Ontario; and Ottawa, Ontario. The power outage
occurred shortly after 4 p.m.
<snip>
no word on the cause(s), but a ConEd transformer on East 14th street was
said to be on fine...not sure how that could affect other cities,
though...
Current news links below. Info is still very sketchy:
http://www.cnn.com/2003/US/08/14/power.outage/index.html
http://www.nytimes.com/2003/08/14/nyregion/14WIRE_POWER.html
Toronto Sun has nothing online at the moment.
--Lloyd
Power -- we were hit as far west as Cleveland, and saw the blip in Dayton.
-ls-
More news sites:
Toronto News: http://cnews.canoe.ca/CNEWS/Canada/2003/08/14/160918-cp.html
Baltimore: http://www.sunspot.net/news/nationworld/bal-newyork0815,0,2936608.story?coll=bal-home-headlines
--Lloyd
CNN is reporting a New York State offical as saying that "The
Niagara-Mohawk power grid is overloaded".