|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: botnets: web servers, end-systems and Vint Cerf
> I've concluded three things (by doing experiements like > that). (a) Where > there are Windows boxes, there are zombies. "Securing > Microsoft operating > systems adequately for use on the Internet" is not a solved problem in > computing. I disagree. Since 1994 I have been in the habit of setting up MS Windows boxes with Win98 and up, by installing from CD, connecting to the net and installing various patches and updates from the Windows Update service. I've never had a virus infection, a bot, a root kit or whatever. The secret is simple. These machines never connected directly to the Internet but went through a NAT box. Way back when it was a FreeBSD machine running TIS Firewalls Toolkit. These days it is an off-the-shelf Ethernet switch with DSL modem and NAT built-in. Therefore, I assert that securing systems adequately for use on the Internet is indeed a SOLVED PROBLEM in computing. However, it isn't yet solved in a social or business sense. On the business side, I wonder why PC's don't come with a built-in firewall/NAT device. It is cheap enough to do these days. This means that a computer would have no Ethernet ports on it. Instead, an internal Ethernet port would be directly connected to a NAT/firewall device on the same circuit board (or via PCI/PCMCIA/etc.). The external Ethernet port would belong to the firewall/NAT device. On the social side, people don't realize that such a solution is possible and therefore they aren't demanding computer vendors to build it in. The box vendors only build what the OS vendors want and the OS vendors are not interested in a piece of hardware that runs its own OS, most likely FreeBSD or Linux. In the UK, companies who sell TV services (cable and satellite) give there customers a box to connect with. Why can't ISPs also sell their services with a proper box included? By proper, I mean a NAT/firewall, not a USB-connected DSL modem. > (c) Amusingly, it's possible > to detect new end-user allocations and service rollouts by noting when > spam starts to arrive from them. (e.g. the Verizon FIOS > deployment, if I > may use hostnames of the form *.fios.verizon.net as a guide, is going > well in NYC, Dallas, DC, Tampa, Philly, LA, Boston and > Newark, but lags > behind in Seattle, Pittsburgh, Buffalo and Syracuse.) I wonder if Verizon is violating any SEC rules by not reporting this information publicly? This is a good example of something that would not be revealed if they provided a NAT/firewall box to every customer who didn't already have one. Has anyone implemented a tool that ISPs could use to detect whether or not a NAT/firewall device is present? Perhaps based on OS fingerprinting? Or even based on an agent that must be installed by the customer? If such tools are available then an ISP could offer customers a discount for being compliant with a NAT/firewall rule in their contract. --Michael Dillon
|