Can We Save the Internet By Banning Windows?

After last week's near-collapse of the social networks, such as Twitter, due to a Windows-based, botnet DDoS attack, I made a modest proposal: Throw Windows off the Internet. Here's how we can do it. Or, at the very least, force Windows users to maintain basic security standards.

Is the problem really so bad that ISPs (Internet Service Providers) must start encouraging users to abandon Windows or enforce Windows security? I think so.

Think about it. Besides last week's attack, in early July many South Korean and American government and business sites were knocked out, In May, it was Google's turn to be battered. Massive attacks that knock out part of the Internet are becoming commonplace. Since Windows-based botnets, are what's strangling the Internet, I don't see that we have any choice but to start, at the least, regulating the use of Windows.

Ideally, everyone would just switch to a desktop Linux or a Mac. Yeah, like that's going to happen.

It can't hurt for Web site developers to start warning users that they're using an unsafe operating system and suggest alternatives. Many Web sites are already doing this kind of thing in an attempt to rid the Web of Internet Explorer 6 users once and for all. But, realistically most people won't change their bad habits, unless they're forced to.

But, there are ways we can start forcing Windows users to either switch to a more secure system or start using basic security on their Windows systems. These are NAC (network access control) devices and programs.

The name says it all. These programs control whether a PC, or any other device, is given access to the network. Before a computer is allowed to connect to the Internet, it has to comply with certain minimum standards, or it's locked out of the Internet.

So, what I'm proposing is that NAC software be used to block Windows systems unless they have up-to-date patches and minimal security settings. Since I can't imagine people will put up with their ISP force-feeding them patches or modifying their security settings, I propose that NAC be used to block any Windows PC that doesn't make the grade and give the user the alternative to let the ISP automatically set up their patches and security or to upgrade their systems themselves.

NAC systems usually do this in one of two ways. In the first, a software agent is placed on each PC to report on its security status. The other approach is to scan a PC every time it connects to the net to make sure it's safe to allow it on the Internet.

If a PC fails, it can then be quarantined from the Internet. There are many ways to do that. For example, you can lock unsafe Windows users in a VLAN (virtual LAN) jail without access to the greater Internet. Or, an ISP can use address management protocols like IPV4 (Internet Protocol Version 4) ARP (Address Resolution Protocol) or IPV6 NDP (Network Discovery Protocol) to keep the PC from accessing the Internet.

In any case, once locked up, the user can either stay stuck in their network jail, agree to let the ISP update their PCs for them using patch management software, or be directed to a Web page that will tell them what they need to do before they'll be allowed on the Internet.

Sound impossible? I don't know why. It's done every day on responsible corporate and educational WANs (Wide Area Networks). On these networks of thousands to tens of thousands of devices equipment like Cisco's NAC Appliance,;NetClarity's NACwall; and Nortel's Secure Network Access keep insecure Windows systems off the net.

You don't have to use a device. There are also plenty of NAC programs around. Some of these programs like FreeNAC, NetPass, and PacketFence are open source.

One way or the other though, we're going to have to use NAC to block the one-million plus Windows botnet PCs from accessing the Internet. It was one thing when all Windows botnets did was dump spam in our mailboxes or steal individual Windows users financial information. Now, Windows' insecurity is ruining the Internet for all of us. This has to stop.

Subscribe to the Security Watch Newsletter

Comments