[fw-wiz] Home user problem

From: PG (pgs_at_defensor.se)
Date: 09/14/05

  • Next message: StefanDorn_at_bankcib.com: "RE: [fw-wiz] The home user problem returns"
    To: firewall-wizards@honor.icsalabs.com
    Date: Wed, 14 Sep 2005 14:06:40 +0200

    As a former citizen of northern Sweden, known to be
    pessimistic by nature I find Marcus sceptisism healthy.
    The home user thread has been entertaining to read but
    really does not cover any new ground. The ISP situation
    is one doomed to fail no matter which way you turn. The
    problem lies elsewhere in my opinion.

    First, the legal aspect. From my perspective, the ISP
    entity needs to be better defined from a legal standpoint.
    Certain things you SHOULD or MUST do. I have not
    considered all aspects of this but would suggest for
    example that egress filtering to increase traceability be
    one mandatory point. I.e. there should be clear rules as
    to what is and is not within ISPs responsibilities and
    the end users rights.

    Second, user education. I used to believe in this. After
    teaching network security to everything from sysadmins to
    board of directors I have reached the same conclusion as
    Marcus. It will, at best, allow us to take another breath
    or two before drowing but will not solve the problem, nor
    even make much of a dent in it.

    This brings us to the core of the problem, if we are not
    supposed to educate the users then we must make sure they
    cannot do harm. Think for a minute on what default deny
    means when it comes to a firewall. This is where we want
    our users to be. As long as we are running on fundamentally
    broken equipment and protocols, this is nearly impossible.
    The decision that we suffer from today, were taken decades

    The analogies for cars and guns and so on all have some
    merit. However, I find it flawed when compared to the user
    problem from the point of view that the user does in
    general not intend to cause harm. It is a byproduct of
    their ineptitude of using the net. Now, if you look at
    a modern car, you do not need to be a technical person to
    drive it, in fact you are in every way discouraged from
    doing anything to the car at all. If the car thinks it
    needs service, it will tell you so and without very specific
    knowledge and the right tools, you cannot do anything on
    your own. Now, this is where the computer and Internet
    needs to be. The OS of today is basically a car where you
    are sitting with the engine in the front seat, the break
    fluid running in open conduits and so on. Make one wrong
    or uninformed move and it breaks. This is to various
    degrees true for every OS out there, be it the latest bloat
    from Microsoft or any default installed Linux client.

    In addition, most of the protocols used today are inherently
    flawed and Marcus idea of a Y2K scrap of it all would have
    been lovely. We are currently throwing good money after bad
    in an effort of postponing the inevitable by buying security
    appliance XYZ to protect ourselves. I fear that we will end
    up with several commercial internets in the future where the
    structure is sound but the "freedom" gone.

    Just to try a constructive thought, this is a loose idea of
    how I would tackle the home user problem if ever working at
    an ISP.

    As for the ISP filtering certain ports. Again, default deny.
    Enumerating a certain number of ports and block these leaves
    you trailing after the bad stuff. The default connection a
    user gets on day one of subscription SHOULD block all incoming
    ports. Now, before every user leaves this imaginary ISP of mine,
    make it configurable by the user him-/herself. The thing you
    now regulate is the level of the users access to the
    configuration. If they open up everything and get infected,
    they get a warning. If they do it again, they get everything
    closed and lose the right to configure it. This leaves it up
    to the individual user on the risks to take BUT they are per
    default protected. At least in the sense of protected we can
    achieve with easy access restrictions. This coupled with good
    documents and tutorials for the use and penalties of the system
    could make a good carrot-on-a-stick.

    It all comes down to choosing what evil you want to live with.

    -- PG

    Pål Göran Stensson, Security Consultant, CTO
    E-mail: pgs@defensor.se
    Mobile: +46 (0) 708 - 92 80 93
    Defensor Sweden AB
    -- Computers have enabled people to make more mistakes faster than
    almost any invention in history, with the possible exception of
    tequila and hand guns. /Mitch Ratcliffe --
    firewall-wizards mailing list

  • Next message: StefanDorn_at_bankcib.com: "RE: [fw-wiz] The home user problem returns"

    Relevant Pages

    • Re: Davenport Lyons - Watchdog Report
      ... You keep harping on about ISP agreements, ... you from using a WLAN, or requiring you to secure a WLAN if you use ... and crashed their car, on the grounds that the owner had not secured ...
    • Re: RPG Dover I {seg 1/race 12} TomS (+6/+28)
      ... shutting down their news server on 30 June and I will have to go else ... If your ISP drops Usenet you ... As jumpy as his car was coming off the corners, ... of the race and I can't find the lap-by-lap on nascar.com. ...
    • Re: Exmoor Beauty news
      ... Marcus DiVincenzo was the event organiser. ... car had any influence on the cause of the rider coming off. ... who will suffer expense, worry and hardship as a result of a bunch of ... selfish cyclists out purely for their own agrandisement, ...
    • Re: OT Finns got it bad
      ... He's got an especially good car. ... And wins don't do if Loeb is always second. ... While talking about Kimi and Marcus, we could also mention Mika Kallio ...
    • Re: AmusementSafety.org to Monitor CAC , Plan to Crash Dollywood Event!
      ... > Your the one that wrote the TR saying you left him in the car I can ... > prove that cause it has your ISP all over it. ... -b "you hear some crazy shit while waiting" ...