Ok you tell me in less than a page how someone can use just those tools to be
sure that their network is going to be safe when a network worm comes in an
clobbers the print server running Linux 6.2
The problems are much harder than anyone knows to solve today.
How do I set an acl on my home server to be sure that the kids cannot watch
unsuitable movies stored on it from their machines while being able to watch
Try it before you respond. And that is one of the better user interfaces.
Sent from my GoodLink Wireless Handheld (www.good.com)
From: Christian Huitema
Sent: Friday, February 15, 2008 09:37 AM Pacific Standard Time
To: Hallam-Baker, Phillip; Spencer Dawkins; Iljitsch van Beijnum;
Subject: RE: IPv6 NAT?
You know of an O/S that is not vulnerable to malware attacks? Please let me
the name, I haven't encountered one professionally since I was using
in '95 and that was only secure because we had a more or less complete list
the names of every person who had ever successfully managed to learn the
Very few software products can be considered perfect. However, NAT and basic
statefull firewalls only protect against a specific category of attacks, the
arrival of unsolicited connection requests through the network. Most mainline
operating systems have built-in protection against such attacks. Windows XP-SP2
and Windows Vista certainly do. They come with a built in firewall that will,
by default, prevent incoming traffic on all ports. I understand that recent
Linux distributions and recent versions of OS/X have similar protections.
Attacking ports by sending random packets is very much a 2003 story. Modern
malware typically works by exploiting users' naiveté, bugs in document parsers,
or a combination of both. An example of user naiveté would be to ask users to
download a special media player to look at frolicking bodies. An example of
exploiting document parsers would be to lure users to visit a malevolent web
site, and have they open a booby trapped image or movie.
The typical NAT or stateful firewall offers no protection against document
parsing bugs. That is a good thing. If firewalls tried to do that, they would
have to incorporate a large amount of document parsing code, and would most
probably become a target for their own parsing bugs. Of course, no amount of
electronics will protect against users intent on downloading a very special
-- Christian Huitema
Ietf mailing list