ipchains and similar firewalls are indeed far superior. I manage "real"
firewalls as part of my responsibilities.
However the new microsoft policy will help protect the network from Joe
and Jane average who buy a PC from the closest "big box" store and hook it
up to their cable modem so they can exchange pictures of the kids with the
grandparents in Fla. This is the class of users who botnet builders dream
about because these people do not see a computer as a complex system which
_requires_ constant maintenance but as a semi-magical device for moving
images and text around.
The checkpoint and Pix Boxen are what we use here. But we also use
ipchains to secure things at a host level.
Scott C. McGrath
However the new microsoft policy will help protect the network from Joe
and Jane average who buy a PC from the closest "big box" store and hook it
up to their cable modem so they can exchange pictures of the kids with the
grandparents in Fla. This is the class of users who botnet builders dream
about because these people do not see a computer as a complex system which
_requires_ constant maintenance but as a semi-magical device for moving
images and text around.
But that's exactly what a consumer PC is! An appliance (just like a
toaster) for exchanging pictures, sending email, balancing the checkbook,
paying bill, play games, etc. The average Joe doesn't care why the thing
works. But he does notice if it doesn't work as expected. Then he'll
call tech support or get the neighbours kid to help. He may never notice
that the box is has been compromised and DoSs his favorite website or
relays SPAM to millions of fellow Joes. That's reallity! The more
broadband there is, the worse the problem becomes.
I absolutely agree with the statement that the network should be
transparent. No blocked ports, no filtered content. What goes in one end
comes out the other or is delivered to the intended recipient in between.
Exceptions are temporary measures to reduce or eliminate harmful traffic
that impeded network performance or otherwise compromise the network
design goals.
Having said that, customers of ISPs have great variety of needs. On one
hand is the transport of transit data. This is truly a gigo (garbage in,
garbageout) situation where traffic should flow unhindered and in its
entirety. On the other hand there is the residential ISP market. I don't
think it's safe to let a residential PC sit on an internet connection and
have pass traffic to and from it without inspection.
ISPs need to wake up and offer a managed internet service. Where the ISP
takes the initiative to provide filtered internet to residential
customers. Turn on firewall features in your cable box or make those small
NAT routers part of the service offering.
Bashing any OS vendor isn't the solution. All OS have exploits. The *NIX
crowd is just a lot more technically inclined and a lot more aware of
network security than your average Windows user.
So instead of beating up on OS vendors or crippling the network, how about
crippling the devices that are the root of the problem???
Adi