Re: [Full-Disclosure] Microsoft urging users to buy Harware Firewalls
From: Thilo Schulz (arny_at_ats.s.bawue.de)
To: firstname.lastname@example.org Date: Thu, 14 Aug 2003 04:00:03 +0200
-----BEGIN PGP SIGNED MESSAGE-----
On Thursday 14 August 2003 02:04, Richard M. Smith wrote:
> I agree with Microsoft's recommendation for a hardware firewall on all
> home PCs. A Linksys NAT router box is selling for only $40 at Amazon as
> we speak. Besides protecting against the MSBlaster worm, a hardware
> firewall blocks those annoying Windows pop-up spam messages which have
> become so common lately. A hardware firewall also protects a shared
> Windows directory from being accessed from the Internet. My only
> question is why aren't NAT routers built into all cable and DSL modems.
This is ridiculous. Before long, you get millions of windows private users
complaining, why netmeeting, or their nice game server is not accessible
anymore. Nice - of course you also disabled the potentially "evil" services
now. Then the user finds about port forwarding, and as soon as the user has
done this, the computer is suddenly vulnerable again to flaws in the service
that is being provided to the outside! who would have thought that?
Also - the principle of masquerading is, that inbound connection attempts land
at the router and cannot get to the computers in the local network. By
default the router approves all connections from the inside to the outside.
To be honest, I have preferred this solution in my home LAN, I would not want
anything else to be set up.
Trojans/worms that connect from inside the lan to a control channel in IRC or
something like that are not hindered at all by the router/hardware
- From the point of the user - one has bought some new hardware router and now
has trouble with configuring the firewall (to make it possible for onself to
host games or something like that), or doing all the portforwarding stuff -
all of it requiring time. Furthermore, I have seen many routers enough, that
were unable to do some decent connection tracking, especially for UDP based
games .. if the user has not put that hardware he bought into the trash can
yet, he has some basic security. With port 135 and 139 and all the like
closed and secure.
What is wrong with this picture?
How about not opening these ports in question _AT_ALL_ on the private home
I mean - what the hell has a oversized bloated super server behind the port
windows opens by default got to look for on a home computer? The popup spam
is only a minor example ... I simply ask _why_ open the ports to the internet
at all? I can understand if this is needed for file shares, etc... but why
not leave the configuration of these matters in the hands of the users and
only start to listen on these ports if the user explicitly tells windows to
If a user *really* wants these services be available to the world wide web and
has a hardware firewall, he will do port forwarding, and we'd be back again
where we started.
If Microsoft's general concept of "secure by default" installations is not
going to change radically, we will face a vulnerability soon enough again.
Remote DoS against FileSharing
I think history speaks for itself. I want to annotate, that I am not happy
either regarding the policy of many Linux distributions.
But that microsoft expects home users to buy additional hardware to make up
for microsoft's own faults is an outrage.
- Thilo Schulz
My public GnuPG key is available at http://home.bawue.de/~arny/public_key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.