NetSec Letter #31, 26 November 2003
Personal Firewall Day

Fred Avolio, Avolio Consulting, Inc.,

"... I booted into Windows XP for the first time in 4 months today. Within about 2 minutes, I had been infected with Nachi."

This is how an "instant message" from a very clueful friend started. Yes, he was running antivirus software. But, since his Windows system has not been up for months, his antivirus software was not up to date. Why didn't he immediately update it before this happened? There wasn't time.

'Tis the Season to get infected

The Internet has never been a more dangerous place. I am hoping this is obvious. More people are connecting more computers that run more network services onto faster and "always on" connections. To be a target, all someone has to do is obtain a network address -- which he or she does when connecting.

Also, as Jeff Schiller ( -- manager of MIT's network and Area Director for Security on the Internet Engineering Steering Group ( once said, "The total amount of 'clue' on the Internet is constant." This means, of course, as the number of users goes up, the overall cluefulness of the Internet goes down.

And, not to pick on Microsoft, but Microsoft Windows grows more feature-ful. More features with more connectivity lead to complexity, which necessarily leads to greater potential vulnerability, and so greater risk. (See some related comments on my weblog at Gates Promises.)

Finally, we have a problem similar to what my friend in the first paragraph encountered. New computers -- like one that has not been booted in months -- are vulnerable to last month's viruses and worms. Like with my friend's computer, when one powers them on and then connects to the Internet, the result is immediate infection.

What to do?

Most personal computers come with antivirus software already deployed. Most do not have "personal firewall" software. And that, plus a little education, is what is needed. Imagine personal computers coming up configured with strict firewall rules that allow no outside initiated connections, and only limited outbound connections until the user applies security-related updates.

With this in mind, Paul Robertson of TruSecure Corporation calls for "Personal Firewall Day," a day for the computer and network security clueful to clue in the clueless (or less clueful). PFD will be January 15th, 2004. (See

Unfortunately, by January 15, all the gift computers will already be infected. Since people do connect personal-use computers to our enterprise networks, this is not just a concern for the home user, but should concern all of us.

So, buy the perfect holiday gift for family and friends: a personal firewall.

Promotions, Self and Otherwise

As I mentioned last month, friend and colleague Marcus J. Ranum's The Myth of Homeland Security "is engaging, unsettling, entertaining, and disturbing." See my review on Amazon (where you can buy it at, and at

I recently took part in an excellent security meeting -- a security forum held by The Institute for Applied Network Security. Please see my comments at The Institute for Applied Network Security, and their web site at

In response to last month's column (, Joe Matuscak of Rohrer Corporation suggested this alternative:

One approach that we're experimenting with is to use rdesktop, a Linux client for the Windows terminal server RDP protocol, running on a stripped down Linux client. The desktop PC boots up Linux and starts the rdesktop program. The user sees a Windows login screen from the terminal server and off they go. The desktop ends up running Linux, and the Windows stuff is centralized on a smaller number of machines that (hopefully) can be managed better than a flock of Windows desktops. Obviously this is pretty much same as using a dedicated Windows Terminal product (like Wyse, etc), but it does allow recycling existing PC hardware.

I also got a response from Jon "maddog" Hall of Linux, International:

I actually disagree with these statements. While it does take study to figure out what the proper Linux solution is, if there is one, if you wait for people who are "used to and comfortable with Windows" to move on their own, they will never move. And you will never save money.

On the other hand, these same people will move to the NEXTVERSION(R) of Microsoft just because it comes out, and the amount of training, mistakes made, and migration effort might be almost as much as a well-planned transition to Linux (or a thin client based on Linux).

While I told you that the "at home" desktop market was not ready for Linux, it was because there was no support strategy in place. As a business you can develop a support strategy for your employees, which includes training, tiers of support, etc.

There are people already that are using Linux on the desktop.... But it does take planning, and the problem is what while some people might be able to bumble through a transition from MS Version X.5 => MS Version X.0+1 they feel a little lost planning a transition from MS to Linux.

And, finally, Dave Piscitello ( "blogged" a reply that you can find by searching for "Enough with The Microsoft Factor" at