![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
andrewduckerA study was released today which shows that 25% of all zombie drone PCs on the internet are based in the UK.
This is quite obviously because people _don't look after their PCs_ (and, of course, insist on using vulnerable Operating Systems). The answer, it seems to me, is to prevent these people from inadvertently spewing email to the four corners of the earth. The answer, it seems to me, is remarkably obvious.
Firewalls.
And not the firewalls you install on your PC, get in the way of things and are so much trouble that they frequently get turned off by frustrated users (although I recommend those too) - I mean a _managed_ firewall. This sits at the ISP end and blocks all incoming traffic that you haven't specifically asked for. So if you're confident that you want port 80 open, then you use a webform to open that port up - and if you're not technical to manage that much, then you're perfectly safe from incoming nastiness.
It's not a perfect solution, but it'd save an awful lot of heartache, solve the problems that vast numbers of people have with their PCs being insta-hacked and make the internet that much safer for mankind.
The only problem is that it would undoubtably break some people's applications when it was first switched on, which would mean that more helpdesk calls occurred. And nobody wants to pay for that, especially if their competitors aren't. Which means the only way to make it happen is through regulation - imposing a minimum level of service on broadband in the same way that we do for any other utility we want to make safe for the public good.
This is quite obviously because people _don't look after their PCs_ (and, of course, insist on using vulnerable Operating Systems). The answer, it seems to me, is to prevent these people from inadvertently spewing email to the four corners of the earth. The answer, it seems to me, is remarkably obvious.
Firewalls.
And not the firewalls you install on your PC, get in the way of things and are so much trouble that they frequently get turned off by frustrated users (although I recommend those too) - I mean a _managed_ firewall. This sits at the ISP end and blocks all incoming traffic that you haven't specifically asked for. So if you're confident that you want port 80 open, then you use a webform to open that port up - and if you're not technical to manage that much, then you're perfectly safe from incoming nastiness.
It's not a perfect solution, but it'd save an awful lot of heartache, solve the problems that vast numbers of people have with their PCs being insta-hacked and make the internet that much safer for mankind.
The only problem is that it would undoubtably break some people's applications when it was first switched on, which would mean that more helpdesk calls occurred. And nobody wants to pay for that, especially if their competitors aren't. Which means the only way to make it happen is through regulation - imposing a minimum level of service on broadband in the same way that we do for any other utility we want to make safe for the public good.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2005-03-22 09:32 pm (UTC)Having actually run an ISP, I just can't see it happening. The resources that ISPs have are limited, and firewall management tools too
brokencomplex (have you ever tried managing a whole collection of PIXes, let alone several Nokias?). Now, if the firewall manufacturers actually produced tools that worked, and could be easily scripted, then your idea might fly.Until then, I just tell people to buy Zyxel DSL routers and to run them in SUA mode with the base firewall rule set active.
no subject
Date: 2005-03-22 10:50 pm (UTC)Linux and netfilter/iptables? Runs on a knackered old 386 or a brand-new supercomputer, and takes 20 minutes to install and less to configure.
no subject
Date: 2005-03-22 10:53 pm (UTC)no subject
Date: 2005-03-22 11:48 pm (UTC)no subject
Date: 2005-03-22 11:04 pm (UTC)I'm unsure as to whether you or Andy actually understand the scale of the problem. You're looking at on-demand reconfiguration of firewall rules on a per-user-basis and most likely assigning dynamic IPs to connections at the same time... When you start to get to the many-thousands of users with varying usage patterns, it becomes a very complex problem indeed.
You really do need hardware that's been designed for the task, and something like an array of Cisco PIX boxen is your most likely candidate. They're superb edge network filters - very fast, and very responsive - and a pig to configure.
The only approach that looks like it would come anywhere near helping would be to tie something into the authorisation process. This means you're going to need to deploy security profiles on an issued IP-basis, which means you're going to need to hack radius significantly in order to do this.
I've done it to deploy specific IP address filtering in Ascend Max arrays, but there were significant problems which meant that once we were over 10,000 users the whole thing became unresponsive, and blew the auth-servers off the net. I ended up having to withdraw the child filtering service, and had to move trial accounts to a dedicated set of Maxes.
Like I said, it's a lovely idea. But no ISP in the country has the time or the resources to deploy it. And that's not getting into the really hairy legal situation that puts them into...
no subject
Date: 2005-03-22 11:26 pm (UTC)no subject
Date: 2005-03-22 11:29 pm (UTC)And then there are the court-cases that ensue when l33t haX0r5 manage to get around the firewalls and drop malware on PCs that the owners thought were being protected by their ISPs.
Best effort is by far the safest recourse here!
no subject
Date: 2005-03-22 11:39 pm (UTC)Now, responsibility for when someone breaks the system - that I can understand. But no more than they already have responsibility for the email on their servers, or the webspace they host...
no subject
Date: 2005-03-22 11:52 pm (UTC)This is true -- I'm used to firewalling a small handful of private subnets, and two or three Internet connections. It doesn't scale briliantly if, as you say, you're using a PC architecture.
I don't know enough about kernel internals to know if it'll scale well on some massively parallel supercomputer with myriads of network interfaces.
PIX are awful to configure, it's true. And very easy to misconfigure, which is worse.
no subject
Date: 2005-03-23 08:32 am (UTC)You'll never educate people - it would just become a drain on the more proficient of us because our family and friends would constantly be asking us to be fortune tellers and answer firewall questions without actually being at the PC.
I agree regarding Firewalls though, considering I'm currently running four silmultaneously on one PC(No-one makes me a drone) - as you know it took me three nights to configure them all correctly to allow me to get P2P working, a lesser mortal would have given up on day 1, uninstalled and disabled them all whilst sitting happily thinking windows firewall would protect them from everything since Mr Gates is such a nice secure guy who would never produce inefficient or unsecure software!
no subject
Date: 2005-03-24 06:17 pm (UTC)Given some ISPs already do this, it's not a technical problem.