Firewall Wizards mailing list archives
Home user problem
From: PG <pgs () defensor se>
Date: Wed, 14 Sep 2005 14:06:40 +0200
As a former citizen of northern Sweden, known to be pessimistic by nature I find Marcus sceptisism healthy. The home user thread has been entertaining to read but really does not cover any new ground. The ISP situation is one doomed to fail no matter which way you turn. The problem lies elsewhere in my opinion. First, the legal aspect. From my perspective, the ISP entity needs to be better defined from a legal standpoint. Certain things you SHOULD or MUST do. I have not considered all aspects of this but would suggest for example that egress filtering to increase traceability be one mandatory point. I.e. there should be clear rules as to what is and is not within ISPs responsibilities and the end users rights. Second, user education. I used to believe in this. After teaching network security to everything from sysadmins to board of directors I have reached the same conclusion as Marcus. It will, at best, allow us to take another breath or two before drowing but will not solve the problem, nor even make much of a dent in it. This brings us to the core of the problem, if we are not supposed to educate the users then we must make sure they cannot do harm. Think for a minute on what default deny means when it comes to a firewall. This is where we want our users to be. As long as we are running on fundamentally broken equipment and protocols, this is nearly impossible. The decision that we suffer from today, were taken decades ago. The analogies for cars and guns and so on all have some merit. However, I find it flawed when compared to the user problem from the point of view that the user does in general not intend to cause harm. It is a byproduct of their ineptitude of using the net. Now, if you look at a modern car, you do not need to be a technical person to drive it, in fact you are in every way discouraged from doing anything to the car at all. If the car thinks it needs service, it will tell you so and without very specific knowledge and the right tools, you cannot do anything on your own. Now, this is where the computer and Internet needs to be. The OS of today is basically a car where you are sitting with the engine in the front seat, the break fluid running in open conduits and so on. Make one wrong or uninformed move and it breaks. This is to various degrees true for every OS out there, be it the latest bloat from Microsoft or any default installed Linux client. In addition, most of the protocols used today are inherently flawed and Marcus idea of a Y2K scrap of it all would have been lovely. We are currently throwing good money after bad in an effort of postponing the inevitable by buying security appliance XYZ to protect ourselves. I fear that we will end up with several commercial internets in the future where the structure is sound but the "freedom" gone. Just to try a constructive thought, this is a loose idea of how I would tackle the home user problem if ever working at an ISP. As for the ISP filtering certain ports. Again, default deny. Enumerating a certain number of ports and block these leaves you trailing after the bad stuff. The default connection a user gets on day one of subscription SHOULD block all incoming ports. Now, before every user leaves this imaginary ISP of mine, make it configurable by the user him-/herself. The thing you now regulate is the level of the users access to the configuration. If they open up everything and get infected, they get a warning. If they do it again, they get everything closed and lose the right to configure it. This leaves it up to the individual user on the risks to take BUT they are per default protected. At least in the sense of protected we can achieve with easy access restrictions. This coupled with good documents and tutorials for the use and penalties of the system could make a good carrot-on-a-stick. It all comes down to choosing what evil you want to live with. -- PG -- Pål Göran Stensson, Security Consultant, CTO E-mail: pgs () defensor se Mobile: +46 (0) 708 - 92 80 93 Defensor Sweden AB http://www.defensor.se -- Computers have enabled people to make more mistakes faster than almost any invention in history, with the possible exception of tequila and hand guns. /Mitch Ratcliffe -- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Home user problem PG (Sep 22)