RE: FW: Worms versus Bots

Daniel I agree a nat/firewall/router with acl's ... will all help
prevent windows compromises.
I believe security in depth is an essential element of any good security
system.

The goal of this document is help new XP users survive long enough to do
their updates.
Many of them cant/wont put up acls/nat/firewalls ... but if they follow
the steps listed they have a better chance of
successfully downloading and updating their new machine then they will
have with OUT these steps.
It is not meant as a complete XP hardening document. There are lots of
documents that discuss in detail how to harden
windows (xp,nt,2k...).

Donald.Smith@qwest.com GCIA
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC
kill -13 111.2

Daniel I agree a nat/firewall/router with acl's ... will all help
prevent windows compromises.
I believe security in depth is an essential element of any good security
system.

The goal of this document is help new XP users survive long enough to do
their updates.
Many of them cant/wont put up acls/nat/firewalls

Note that I said "have this NAT box in your bag." My suggestion is that this be used during installation.

Is $50 too high an extra expense to suggest people just buy one with the machine, and use it as a tool for doing installations? That's what I was suggesting.

For the money, this is FAR better protection than that provided by the document.

The goal of this document is help new XP users survive long enough to do
their updates.
Many of them cant/wont put up acls/nat/firewalls ... but if they follow
the steps listed they have a better chance of
successfully downloading and updating their new machine then they will
have with OUT these steps.
It is not meant as a complete XP hardening document. There are lots of
documents that discuss in detail how to harden
windows (xp,nt,2k...).

If the person doesn't continue to do acls/nat/firewalls, they'll just get infected after the next hole is discovered. And yes, there are plenty of holes that a firewall/nat box won't fix. Still, better than the user only doing Windows Update on the day of install and never having a firewall...

Rob Nelson
ronelson@vt.edu

I object to the idea that requiring a software firewall inside a host is a reasonable thing to do. Why on earth would I want to run an insecure service and then have a filter to keep it from being used? Either I really want to run the service, and then the firewall gets in the way, or I don't need the service to be reachable, so I shouldn't run it. System services should only be available over the loopback address. Now obviously this is way too simple for some OS builders, but we shouldn't accept their ugly hacks as best current practice.

I object to the idea that requiring a software firewall inside a host
is a reasonable thing to do. Why on earth would I want to run an
insecure service and then have a filter to keep it from being used?

You object to it, I object to it... but the fact remains that 95% of the
user-accessible CPUs (not counting the embedded market) are running software
that you have to do unreasonable things in order to make it anywhere near safe
to use....

Either I really want to run the service, and then the firewall gets in
the way, or I don't need the service to be reachable, so I shouldn't
run it. System services should only be available over the loopback
address. Now obviously this is way too simple for some OS builders, but
we shouldn't accept their ugly hacks as best current practice.

"Best Current Practice" is *so* divergent from "Currently Deployed Practice"
that there's little or no common ground.