This really isn't solving my problems at all. Which is a pity since I have
rather more computer knowledge than the typical home or enterprise customer
that Microsoft is attempting to serve.
The problem isn't limited to Microsoft either. In this respect Apple is just as
bad and Linux considerably worse.
First the point about my network is that the printers do not connect up to
Windows boxes, they connect up to the network, which is the only logical
arrangement really. I have not got the foggiest idea which operating system
Brother use on their printers. But I am pretty sure its reasonably powerful and
certainly not the type of thing that I would ever allow to go on the Internet
directly. The task here is to configure the network so that we are sure that
there is no external vulnerability that 1 requires least effort, 2 is most
likely to be done correctly
The only tool that a consumer can purchase today that meets those needs is a
firewall that cuts off inbound ports. It is a blunt instrument but it is the
only one that meets the requirements.
Second, net nanny or the like really does not meet the requirements I outlined.
I suggest that Microsoft take some note of these requirements since you have
only spent a billion dollars buying access to the necessary technology but you
are not deploying it in a form that end users could possibly use to meet their
needs.
In the scenario I gave, the data I wish to stop the kids accessing is already
on my network, net nanny is totally useless in this instance. Let us imagine
that I have a configuration that consists of one Vista machine and one Home
Server on which there is stored a collection of ripped DVDs of video nasties,
you know The Sound of Music, Care Bears Movie etc. some of the nastiest films I
have seen. I do not with the kids tastes to be corrupted by this rubbish.
Try setting up that configuration and take a good look at the information that
the user has to work with. I would send you screen shots that make this point
but the machine has just gone out of action with a hardware fault. I promise
you that there is absolutely no way any competent admin could possibly be
confident that the machine was configured as intended without logging in using
the kids accounts to check that they were unable to see the banned movies.
When I wrote The dotCrime Manifesto: How to Stop Internet Crime, I was thinking
in terms of how to provide security usability for applications such as email
and the Web. Since then I have been looking at the problem of how to
systematize an approach to security usability engineering.
The point here is not to identify one set of products as being 'worse' than
others, NONE of the products I have used is any better. Security Usability is
something that the entire industry has been failing on. The solution here is
not 'buy a Mac'.
I am really not at all suprised that users cling to their +5 amulet of
protection firewalls. They at least know how to use them.
The reason we see so many data breaches and lost SSNs is that the products out
there in the market are ALL broken by design. They are all based on a security
architecture where it is assumed that data does not move. Well with the
Internet data sure does move and that has real consequences.
Now part of the solution is going to be heavyweight usability engineering with
intensive lab testing etc. But many of the products and systems I have been
looking at have faults that I believe could and should have been detected in
the early design phase.
Security cannot be effective when it is provided in the form of a DIY assembly
required project. But thats what the field has been doing.
________________________________
From: Christian Huitema [mailto:huitema(_at_)windows(_dot_)microsoft(_dot_)com]
Sent: Friday, February 15, 2008 2:27 PM
To: Hallam-Baker, Phillip; Spencer Dawkins; Iljitsch van Beijnum;
michael(_dot_)dillon(_at_)bt(_dot_)com
Cc: ietf(_at_)ietf(_dot_)org
Subject: RE: IPv6 NAT?
I don't know for Linux, but the normal configuration of a print or file sharing
service in a Windows home network would be to only listen on the local network,
which makes it immune to "arrival from the network". The connection simply will
not be established. Of course, the simple "single network" solution does not
work in enterprises. There are multiple solutions available to limit access to
enterprise services, for example "server and domain isolation" using IPSEC
(http://technet.microsoft.com/en-us/network/bb545651.aspx). This is actually
what Microsoft does use in its internal network.
There are multiple offers for "parental control" services, e.g. built in
Windows Vista (http://blogs.msdn.com/uac/archive/2006/04/06/570560.aspx).
Of course, if you are simply looking at incoming traffic load, then clearly
routers can play a role by implementing a form of rate limiting.
From: ietf-bounces(_at_)ietf(_dot_)org
[mailto:ietf-bounces(_at_)ietf(_dot_)org] On Behalf Of Hallam-Baker, Phillip
Sent: Friday, February 15, 2008 10:10 AM
To: Christian Huitema; Spencer Dawkins; Iljitsch van Beijnum;
michael(_dot_)dillon(_at_)bt(_dot_)com
Cc: ietf(_at_)ietf(_dot_)org
Subject: RE: IPv6 NAT?
Ok you tell me in less than a page how someone can use just those tools to be
sure that their network is going to be safe when a network worm comes in an
clobbers the print server running Linux 6.2
The problems are much harder than anyone knows to solve today.
How do I set an acl on my home server to be sure that the kids cannot watch
unsuitable movies stored on it from their machines while being able to watch
them myself?
Try it before you respond. And that is one of the better user interfaces.
Sent from my GoodLink Wireless Handheld (www.good.com)
-----Original Message-----
From: Christian Huitema
[mailto:huitema(_at_)windows(_dot_)microsoft(_dot_)com]
Sent: Friday, February 15, 2008 09:37 AM Pacific Standard Time
To: Hallam-Baker, Phillip; Spencer Dawkins; Iljitsch van Beijnum;
michael(_dot_)dillon(_at_)bt(_dot_)com
Cc: ietf(_at_)ietf(_dot_)org
Subject: RE: IPv6 NAT?
You know of an O/S that is not vulnerable to malware attacks? Please let me
know
the name, I haven't encountered one professionally since I was using
OpenGenera
in '95 and that was only secure because we had a more or less complete list
with
the names of every person who had ever successfully managed to learn the
beast.
Very few software products can be considered perfect. However, NAT and basic
statefull firewalls only protect against a specific category of attacks, the
arrival of unsolicited connection requests through the network. Most mainline
operating systems have built-in protection against such attacks. Windows XP-SP2
and Windows Vista certainly do. They come with a built in firewall that will,
by default, prevent incoming traffic on all ports. I understand that recent
Linux distributions and recent versions of OS/X have similar protections.
Attacking ports by sending random packets is very much a 2003 story. Modern
malware typically works by exploiting users' naiveté, bugs in document parsers,
or a combination of both. An example of user naiveté would be to ask users to
download a special media player to look at frolicking bodies. An example of
exploiting document parsers would be to lure users to visit a malevolent web
site, and have they open a booby trapped image or movie.
The typical NAT or stateful firewall offers no protection against document
parsing bugs. That is a good thing. If firewalls tried to do that, they would
have to incorporate a large amount of document parsing code, and would most
probably become a target for their own parsing bugs. Of course, no amount of
electronics will protect against users intent on downloading a very special
media player...
-- Christian Huitema
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
http://www.ietf.org/mailman/listinfo/ietf