[Dshield] Possible solution for ISP (was DShield's public goals)
hakon at alstadheim.priv.no
Wed Jan 11 23:16:53 GMT 2006
Jon R. Kibler wrote:
>I couldn't agree more. The biggest issue we face is the security ignorant user. They will be completely happy with an 'Equivalent to NAT" account. Right there, that would probably remove 80% or more of the vulnerable systems from the target space. Having 80% less compromised computers would be a VERY good thing!
I think my ISP actually has a good solution here. They ship ADSL routers
where the default setup is using NAT, no DMZ, no port-forwarding. One
easy call or email to support will get you instructions on how to switch
to bridge mode on the box. This makees the average home-user invisible
to the outside, while saving the ISP on cpu-time. They could do the same
for outgoing port 25 also with an easy opt-out and I would not complain.
More information about the list