Re: Block all servers?

[ken emery <ken () cnet com>]

On Fri, 10 Oct 2003, Adam Selene wrote:

> IMHO, all consumer network access should be behind NAT.

Unfortuantely there are enough protocols and applications
which don't work well behind a NAT that deploying this on
a large scale is not practical.  Most gamers require incoming
connections.  These are people who willing to pay for bandwidth
so attempting to put them in the "nat only" box will not work.
Also what about folks who need to VPN in to their office
(either via PPTP or IPSEC)?  How would you take care of that
situation?

> However, the real solutions is (and unfortunately to the detriment
> of many 3rd party software companies) for operating system
> companies such as Microsoft to realize a system level firewall
> is no longer something to be "added on" or configured later.
> Systems need to be shipped completely locked down (incoming
> *and* outgoing IP ports), and there should be an API for
> applications to request permission to access a particular port or
> listen on a particular port (invoking a user dialog).

Unfortunately something like this would make the PC close to
useless which is not the intent of the software provider.  Thus
you see everything open, security be damned.

> As for plug-in "workgroup" networking (the main reason why
> everything is open by default), when you create a Workgroup,
> it should require a key for that workgroup and enable shared-key
> IPSEC.

And joe user will understand this because.....

> Currently Windows 2000 can be configured to be extremely secure
> without  any additional software. Unfortunately you must have a
> *lot* of clue to configure the Machine and IP security policies it
> provides.

And there lies your problem (among other places)....

bye,
ken emery