|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Block all servers?
> Unfortuantely there are enough protocols and applications
> which don't work well behind a NAT that deploying this on
> a large scale is not practical.
It already is deployed upon a large scale. When I had @Home
in Seattle (one of the first subscribers), I had a 10.x address.
Here in Costa Rica, broadband (cable modem) connections for
the entire country are behind NAT.
> Also what about folks who need to VPN in to their office
> (either via PPTP or IPSEC)? How would you take care of that
> situation?
I use IPSEC and it works fine behind NAT.
> Unfortunately something like this would make the PC close to
> useless which is not the intent of the software provider. Thus
> you see everything open, security be damned.
No. You default open the common and popular internet ports for
outbound, and 90% of users never use anything else.
>> As for plug-in "workgroup" networking (the main reason why
>> everything is open by default), when you create a Workgroup,
>> it should require a key for that workgroup and enable shared-key
>> IPSEC.
>
> And joe user will understand this because.....
That's the point, he doesn't have to. A "workgroup" becomes a
name + a key/phassphrase instead of just a name. What that
accomplishes is completely hidden.
Adam
|