Home page logo
/

nanog logo nanog mailing list archives

RE: Microsoft to ship new versions with firewall enabled
From: "Matthew Watkins" <matt () idnet net uk>
Date: Thu, 14 Aug 2003 17:39:10 +0100


Apple have the right idea... I'd say all the vendors need to take a
carefully balanced approach to security in the default configurations of
their software. Leave services exposed to the network disabled by default,
where possible.

By all means, configure firewalls by default to block all non-established
incoming connections to low port numbers, but for heaven's sake don't also
block access to those ports from the local subnet as well.

How would your users cope if all their shared printers and file servers
suddenly became inaccessible because NetBIOS was universally blocked by new
operating system "security features"? I'd hazard a guess that after they've
called their ISP support team a couple of hunderd times, they'll just switch
the firewall off...

Your firewall rules should automatically open ports when services are
explicitly enabled, and should be able to cope with laptops roaming between
home and office where the local subnet addresses may change. If the firewall
doesn't detect this, then you're going to cause a whole new world of support
problems.

- Matt


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]