[fw-wiz] Home user problem
From: PG (pgs_at_defensor.se)
To: firstname.lastname@example.org Date: Wed, 14 Sep 2005 14:06:40 +0200
As a former citizen of northern Sweden, known to be
pessimistic by nature I find Marcus sceptisism healthy.
The home user thread has been entertaining to read but
really does not cover any new ground. The ISP situation
is one doomed to fail no matter which way you turn. The
problem lies elsewhere in my opinion.
First, the legal aspect. From my perspective, the ISP
entity needs to be better defined from a legal standpoint.
Certain things you SHOULD or MUST do. I have not
considered all aspects of this but would suggest for
example that egress filtering to increase traceability be
one mandatory point. I.e. there should be clear rules as
to what is and is not within ISPs responsibilities and
the end users rights.
Second, user education. I used to believe in this. After
teaching network security to everything from sysadmins to
board of directors I have reached the same conclusion as
Marcus. It will, at best, allow us to take another breath
or two before drowing but will not solve the problem, nor
even make much of a dent in it.
This brings us to the core of the problem, if we are not
supposed to educate the users then we must make sure they
cannot do harm. Think for a minute on what default deny
means when it comes to a firewall. This is where we want
our users to be. As long as we are running on fundamentally
broken equipment and protocols, this is nearly impossible.
The decision that we suffer from today, were taken decades
The analogies for cars and guns and so on all have some
merit. However, I find it flawed when compared to the user
problem from the point of view that the user does in
general not intend to cause harm. It is a byproduct of
their ineptitude of using the net. Now, if you look at
a modern car, you do not need to be a technical person to
drive it, in fact you are in every way discouraged from
doing anything to the car at all. If the car thinks it
needs service, it will tell you so and without very specific
knowledge and the right tools, you cannot do anything on
your own. Now, this is where the computer and Internet
needs to be. The OS of today is basically a car where you
are sitting with the engine in the front seat, the break
fluid running in open conduits and so on. Make one wrong
or uninformed move and it breaks. This is to various
degrees true for every OS out there, be it the latest bloat
from Microsoft or any default installed Linux client.
In addition, most of the protocols used today are inherently
flawed and Marcus idea of a Y2K scrap of it all would have
been lovely. We are currently throwing good money after bad
in an effort of postponing the inevitable by buying security
appliance XYZ to protect ourselves. I fear that we will end
up with several commercial internets in the future where the
structure is sound but the "freedom" gone.
Just to try a constructive thought, this is a loose idea of
how I would tackle the home user problem if ever working at
As for the ISP filtering certain ports. Again, default deny.
Enumerating a certain number of ports and block these leaves
you trailing after the bad stuff. The default connection a
user gets on day one of subscription SHOULD block all incoming
ports. Now, before every user leaves this imaginary ISP of mine,
make it configurable by the user him-/herself. The thing you
now regulate is the level of the users access to the
configuration. If they open up everything and get infected,
they get a warning. If they do it again, they get everything
closed and lose the right to configure it. This leaves it up
to the individual user on the risks to take BUT they are per
default protected. At least in the sense of protected we can
achieve with easy access restrictions. This coupled with good
documents and tutorials for the use and penalties of the system
could make a good carrot-on-a-stick.
It all comes down to choosing what evil you want to live with.
-- Pål Göran Stensson, Security Consultant, CTO E-mail: email@example.com Mobile: +46 (0) 708 - 92 80 93 Defensor Sweden AB http://www.defensor.se -- Computers have enabled people to make more mistakes faster than almost any invention in history, with the possible exception of tequila and hand guns. /Mitch Ratcliffe -- _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards