andrewducker (![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
andrewducker) wrote2005-03-22 08:00 pm
andrewducker) wrote2005-03-22 08:00 pm
Hax0r!
A study was released today which shows that 25% of all zombie drone PCs on the internet are based in the UK.
This is quite obviously because people _don't look after their PCs_ (and, of course, insist on using vulnerable Operating Systems). The answer, it seems to me, is to prevent these people from inadvertently spewing email to the four corners of the earth. The answer, it seems to me, is remarkably obvious.
Firewalls.
And not the firewalls you install on your PC, get in the way of things and are so much trouble that they frequently get turned off by frustrated users (although I recommend those too) - I mean a _managed_ firewall. This sits at the ISP end and blocks all incoming traffic that you haven't specifically asked for. So if you're confident that you want port 80 open, then you use a webform to open that port up - and if you're not technical to manage that much, then you're perfectly safe from incoming nastiness.
It's not a perfect solution, but it'd save an awful lot of heartache, solve the problems that vast numbers of people have with their PCs being insta-hacked and make the internet that much safer for mankind.
The only problem is that it would undoubtably break some people's applications when it was first switched on, which would mean that more helpdesk calls occurred. And nobody wants to pay for that, especially if their competitors aren't. Which means the only way to make it happen is through regulation - imposing a minimum level of service on broadband in the same way that we do for any other utility we want to make safe for the public good.
This is quite obviously because people _don't look after their PCs_ (and, of course, insist on using vulnerable Operating Systems). The answer, it seems to me, is to prevent these people from inadvertently spewing email to the four corners of the earth. The answer, it seems to me, is remarkably obvious.
Firewalls.
And not the firewalls you install on your PC, get in the way of things and are so much trouble that they frequently get turned off by frustrated users (although I recommend those too) - I mean a _managed_ firewall. This sits at the ISP end and blocks all incoming traffic that you haven't specifically asked for. So if you're confident that you want port 80 open, then you use a webform to open that port up - and if you're not technical to manage that much, then you're perfectly safe from incoming nastiness.
It's not a perfect solution, but it'd save an awful lot of heartache, solve the problems that vast numbers of people have with their PCs being insta-hacked and make the internet that much safer for mankind.
The only problem is that it would undoubtably break some people's applications when it was first switched on, which would mean that more helpdesk calls occurred. And nobody wants to pay for that, especially if their competitors aren't. Which means the only way to make it happen is through regulation - imposing a minimum level of service on broadband in the same way that we do for any other utility we want to make safe for the public good.
no subject
I'm unsure as to whether you or Andy actually understand the scale of the problem. You're looking at on-demand reconfiguration of firewall rules on a per-user-basis and most likely assigning dynamic IPs to connections at the same time... When you start to get to the many-thousands of users with varying usage patterns, it becomes a very complex problem indeed.
You really do need hardware that's been designed for the task, and something like an array of Cisco PIX boxen is your most likely candidate. They're superb edge network filters - very fast, and very responsive - and a pig to configure.
The only approach that looks like it would come anywhere near helping would be to tie something into the authorisation process. This means you're going to need to deploy security profiles on an issued IP-basis, which means you're going to need to hack radius significantly in order to do this.
I've done it to deploy specific IP address filtering in Ascend Max arrays, but there were significant problems which meant that once we were over 10,000 users the whole thing became unresponsive, and blew the auth-servers off the net. I ended up having to withdraw the child filtering service, and had to move trial accounts to a dedicated set of Maxes.
Like I said, it's a lovely idea. But no ISP in the country has the time or the resources to deploy it. And that's not getting into the really hairy legal situation that puts them into...
no subject
no subject
And then there are the court-cases that ensue when l33t haX0r5 manage to get around the firewalls and drop malware on PCs that the owners thought were being protected by their ISPs.
Best effort is by far the safest recourse here!
no subject
Now, responsibility for when someone breaks the system - that I can understand. But no more than they already have responsibility for the email on their servers, or the webspace they host...
no subject
This is true -- I'm used to firewalling a small handful of private subnets, and two or three Internet connections. It doesn't scale briliantly if, as you say, you're using a PC architecture.
I don't know enough about kernel internals to know if it'll scale well on some massively parallel supercomputer with myriads of network interfaces.
PIX are awful to configure, it's true. And very easy to misconfigure, which is worse.