On 07/01/2014 04:19 PM, Christian Huitema wrote:
I should have included one more aspect in the third set. That is
traffic disallowed by policy. Current top-of-mind in security
circles includes NTP attacks - someone sends a message with a
spoofed source address to an NTP server, which now sends something
to that address every mumble time units...
Presumably, your firewall could have some kind of source address
verification that takes care of such spoofing.
As for "diode firewalls," they can be bypassed trivially using ICE,
STUN, etc.
Does that really count as "the firewall being bypassed"? -- If it
requires collaboration from the inside, I wouldn't count that as
"bypassing".
A simple diode firewall essentially prevents e.g. trivial
address-scanning from the outside. And in the light of IoT, where you
might have devices with buggy code (including "default passwords that
were never changed") that maybe never get patched/updated, even such a
simple policy is probably useful.
Cheers,
--
Fernando Gont
e-mail: fernando(_at_)gont(_dot_)com(_dot_)ar ||
fgont(_at_)si6networks(_dot_)com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1