On Monday, May 15, 2006 12:07:09 PM -0700 "Hallam-Baker, Phillip"
<pbaker(_at_)verisign(_dot_)com> wrote:
I agree that separating out the NAT and firewall functions is useful and
necessary. Even if the two functions are performed by the same box they
should be considered separately.
I don't think that the idea of zero configuration firewalls should be
dismissed. A firewall is simply a policy enforcement point, usually
located at the border where the network meets the Internetwork.
Sure. But a policy enforcement point must necessarily be configured;
otherwise, how is it going to know what policy to enforce?
First people have the model wrong, ask not how you can protect yourself
from the Internet, ask how to protect the Internet from you.
No. Being a good neighbor is desirable, but does not replace protecting
yourself from bad neighbors and evildoers.
A reverse firewall with simple protection rules to protect the Internet
from a rogue server should be part of the default configuration of every
gateway device. Let people turn it off if their use model requires it.
But very very few people need to have a machine that has a use signature
that remotely resembles a DDoS bot or a spambot.
What a "rogue server"? What distinguishes a ddos bot from a P2P file
sharing application? What distinguishes a Windows virus from a krb524
client (hint: nothing; several network providers and common firewall
configuration block outgoing UDP traffic to port 4444, with the result that
getting krb4 tickets and AFS tokens doesn't work from inside such a
network). Who updates the configuration on these filters as new
applications and new malware appear?
Eventually I am going to persuade one of the major ISPs to make such a
feature a requirement in the cable modems / wifi routers / dsl modems
they buy. I am pretty sure that failing to do so would constitute
negligence - certainly the Hands formula indicates a duty of care here.
I should be required to have a device which limits my ability to use the
network connection I've paid for to a limited set of applications chosen by
my network provider? That's not only insane; it would probably be legally
very stupid for my network provider; by restricting what I'm allowed to do,
they take some responsibility for what I do.
In the future every NIC, router, hub and wifi access point will be a
policy enforcement point. Policy configuration on the enforcement device
is going to be impractical.
I see you're among those who think users and customers should be required
to enforce policy counter to their interests, and that the network should
trust that they do so. One of the basic rules of distributed systems
design is that service providers MUST NOT depend on clients to enforce
policy for them, because anyone can make a rogue client.
There is no reason why this should not be possible in the home
environment. If we start by assuming that there is some form of
trustworthy hardware, that cannot be stomped on by malicious code it
becomes obvious that the network config can be made plug and play. The
only thing the user has to do is to decide what applications can and
cannot connect up to the network and/or Internetwork and the uses to be
made.
Except that the user won't get to do that; the user's network provider
will, and users who want to do anything even a little strange will just
completely lose, because they're not powerful enough to force their
provider to accept different terms.
But for the moment, let's assume that doesn't happen. There's still a
serious usability problem.
The ideal situation is for the network to become like a true utility -
always there, completely invisible to the user except when it breaks, and
they almost forget they have it because it _never_ breaks. Power's not
invisible if I have to go make changes at the service entrance before I can
plug in a new appliance. Water's not invisible if I have to ask the water
company before I can install a new faucet. And it's been decades since you
could only attach a telephone approved (and owned!) by the telephone
company. Why should the network require that I reconfigure some device I
don't even know exists before I can run a new application?
-- Jeff
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf