ietf
[Top] [All Lists]

RE: IPv6 NAT?

2008-02-15 11:13:54
Ok you tell me in less than a page how someone can use just those tools to be 
sure that their network is going to be safe when a network worm comes in an 
clobbers the print server running Linux 6.2

The problems are much harder than anyone knows to solve today.

How do I set an acl on my home server to be sure that the kids cannot watch 
unsuitable movies stored on it from their machines while being able to watch 
them myself?

Try it before you respond. And that is one of the better user interfaces.


Sent from my GoodLink Wireless Handheld (www.good.com)

 -----Original Message-----
From:   Christian Huitema 
[mailto:huitema(_at_)windows(_dot_)microsoft(_dot_)com]
Sent:   Friday, February 15, 2008 09:37 AM Pacific Standard Time
To:     Hallam-Baker, Phillip; Spencer Dawkins; Iljitsch van Beijnum; 
michael(_dot_)dillon(_at_)bt(_dot_)com
Cc:     ietf(_at_)ietf(_dot_)org
Subject:        RE: IPv6 NAT?

You know of an O/S that is not vulnerable to malware attacks? Please let me 
know
the name, I haven't encountered one professionally since I was using 
OpenGenera
in '95 and that was only secure because we had a more or less complete list 
with
the names of every person who had ever successfully managed to learn the 
beast.

Very few software products can be considered perfect. However, NAT and basic 
statefull firewalls only protect against a specific category of attacks, the 
arrival of unsolicited connection requests through the network. Most mainline 
operating systems have built-in protection against such attacks. Windows XP-SP2 
and Windows Vista certainly do. They come with a built in firewall that will, 
by default, prevent incoming traffic on all ports. I understand that recent 
Linux distributions and recent versions of OS/X have similar protections.

Attacking ports by sending random packets is very much a 2003 story. Modern 
malware typically works by exploiting users' naiveté, bugs in document parsers, 
or a combination of both. An example of user naiveté would be to ask users to 
download a special media player to look at frolicking bodies. An example of 
exploiting document parsers would be to lure users to visit a malevolent web 
site, and have they open a booby trapped image or movie.

The typical NAT or stateful firewall offers no protection against document 
parsing bugs. That is a good thing. If firewalls tried to do that, they would 
have to incorporate a large amount of document parsing code, and would most 
probably become a target for their own parsing bugs. Of course, no amount of 
electronics will protect against users intent on downloading a very special 
media player...

-- Christian Huitema




_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
http://www.ietf.org/mailman/listinfo/ietf
<Prev in Thread] Current Thread [Next in Thread>