ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt

2007-07-04 00:05:44
from [SM] [Permanent Link] 
At 08:37 03-07-2007, Hallam-Baker, Phillip wrote:
Arguments about false senses of security are usually wrong. We are adapted for an environment where sabre toothed tigers are running around at night. So our tolerance for insecurity is much higher than you might think. A sense of security is created by familiarity, not by analysis.
NAT has coined an idiom that you are secure by virtue of using it. That's not stopping the tigers.
The point here is not to shut off connectivity, but to shut it off by default. If the user knows they want to run an HTTP server they can set it up accordingly. The nice thing about NAT boxes is that a user who knows nothing about their network can plug one in and the default state is to deny inbound connections.
Shutting off inbound connectivity comes five years too late. Nowadays, the treat is also from the inside. NAT makes it more difficult to identify and take measures against the offending host.
What that means is that the MYSQL server or the embedded SQL Server in their application they didn't even know they had is shut off from external access. I was running an unpatched version of SQL server when slammer hit without ill effect. I have boxes that have not been booted for several years. I'll bet that much on the code on those boxes is vulnerable too. I don't patch systems I am not currently using.
That $50 box can be set by default to deny incoming connections so that the user than knows nothing about their network can plug it in. Outgoing connections could be restricted as well so as to deny these unpatched systems external access by default. Currently, this is not viable due to IP addressing constraints.
Sure you can do much better if you 1) know what you are doing and 2) are prepared to put in the necessary time. Most people don't meet either condition.
I agree. Any solution for the type of user you mentioned is only effective if it is easy for them. 

Regards,
-sm 

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: chicago IETF IPv6 connectivity, Michel Py
Next by Date:  RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, michael.dillon
Previous by Thread:  RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Hallam-Baker, Phillip
Next by Thread:  Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Jeffrey Hutzelman
Indexes:  [Date] [Thread] [Top] [All Lists]