Re: IPv6 deployment excuses

[Mike Hammett <nanog () ics-il net>]

Security that is too strict will be disabled and be far less effective than proper security measures. Security zealots 
are often blind to that. 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 



Midwest Internet Exchange 
http://www.midwest-ix.com 


----- Original Message -----

From: "Keith Medcalf" <kmedcalf () dessus com> 
To: "nanog list" <nanog () nanog org> 
Sent: Saturday, July 2, 2016 11:41:48 AM 
Subject: RE: IPv6 deployment excuses 


Yes, the default is "on". An exception is added for EVERY SINGLE PIECE of Microsoft Crapware, whether it is needed or 
not (and in every single case, it is not). And if you turn those exceptions "off", then they are turned back on by 
Microsoft and their NSA partners for you, without your permission, whenever automatic updates run (and also at other 
times that I have not determined the trigger). You must continuously check that the firewall (although ON) remains 
configured as you configured it, or if Microsoft (and their NSA partners) have changed the configuration without your 
permission. 

Of course, most people do not bother configuring the firewall and do not wonder why every piece of Crapware has in 
incoming exception, and do not bother to turn those off (including some on this list apparently). So they will never 
notice these nefarious doings which have been a hotbed of discussion on the Internet for many years. 

And this is on the latest distribution of Windows 10 including the upcoming anniversary edition and has been that way 
since at least the first version of Windows 8. 

Whether or not Windows 7 also behaves the same way I do not know because I never ran it. 

> -----Original Message----- 
> From: Spencer Ryan [mailto:sryan () arbor net] 
> Sent: Saturday, 2 July, 2016 10:08 
> To: Keith Medcalf 
> Cc: North American Network Operators' Group 
> Subject: RE: IPv6 deployment excuses 
>
> Windows 8 and 10 with the most recent service packs default the firewall 
> to on with very few inbound exemptions. 
>
>
> On Jul 2, 2016 11:38 AM, "Keith Medcalf" <kmedcalf () dessus com> wrote: 
>
>
>
> > There is no difference between IPv4 and IPv6 when it comes to 
> > firewalls and reachability. It is worth noting that hosts which 
> > support IPv6 are typically a lot more secure than older IPv4-only 
> > hosts. As an example every version of Windows that ships with IPv6 
> > support also ships with the firewall turned on by default. 
>
> Just because the firewall is turned on does not mean that it is 
> configured properly. 
>
> Every version of Windows that ships with IPv6 support also ships 
> with the Firewall configured in such a fashion that you may as well have 
> it turned off. 
>
> This is especially true in Windows 8 and later where the firewall is 
> reconfigured without your permission by Microsoft every time you install 
> any update whatsoever back to the "totally insecure" default state -- and 
> there is absolutely no way to fix this other than to check, every single 
> minute, that the firewall is still configured as you configured it, and 
> not as Microsoft (and their NSA partners) choose to configure it. 
>
> All versions of Windows 8 and later whether using IPv4 or IPv6 are 
> completely unsuitable for use on a network attached to the Internet by any 
> means (whether using NAT or not) that does not include an external (to 
> Windows) -- ie, in network -- statefull firewall over which Windows, 
> Microsoft, (and their NSA partners) have no automatic means of control. 
> If you allow UPnP control of the external statefull firewall from Windows 
> version 8 or later, you may as well not bother having any firewall at all 
> because it is not under your control.