On Dec 2, 2013, at 18:05 , Ricky Beam <jfb...@gmail.com> wrote: > On Mon, 02 Dec 2013 20:18:08 -0500, Owen DeLong <o...@delong.com> wrote: >> You don't, but it's easy enough for Windows to do discovery and/or >> negotiation for firewall holes with multicast and avoid making > ... > > Actually, your process still makes a very dangerous assumption... you have to > assume the address passed via multicast is, in fact, a local address. Since > it is necessarily outside your prefix, you have to either make assumptions > about what is "close" to your prefix -- assumes the site is contiguous, or > trust any address passed to you. Hackers will have fun screwing up your > firewall rules and potentially breaking into your servers. (if you're foolish > enough to not have any other layers in your network, which is likely with > home networks.) >
Not really... First of all, domain or other windows authentication could be used to validate the request. Second, if it's site-scope multicast, unless both your ISP _AND_ your own router are doing something wrong, it shouldn't get forwarded into your site from outside. >> ... They can't get away with flat out saying no... > > Says who? TWC has been saying "no" for years. (unless I'm mistaken, "always".) No, they've said "get a business connection." Close to "no", but not identical. Owen
