On Jul 1, 2014, at 9:55 AM, Fred Baker (fred) <fred(_at_)cisco(_dot_)com> wrote:
On Jul 1, 2014, at 3:45 AM, Fernando Gont
<fernando(_at_)gont(_dot_)com(_dot_)ar> wrote:
IPv6 with a diode-firewall on the perimiter would essentially face the
same challenge/problem. I seem to recall folks noting that that's hw
they deploy v6 to the home...
Well, sort of. A zone-based firewall (NAT or otherwise) primarily allows in
responses to traffic it has sent out, and https://tools.ietf.org/html/rfc6092
is an example of that. However, just as NATs do, such firewalls usually allow
for a firewall rule that will allow specified traffic to go to a specified
address. That’s the purpose of PCP, for example.
That is a place I have well and truly scratched my head regarding the
firewall discussion in the IETF. There’s a set of people, including me, that
think that firewalls have a certain levee of utility and in any event are a
business requirement. There’s another set of people who “don’t want no
stinkin’ firewalls”, and argue their case on the basis of the end to end
principle. No aspersions here; I understand their point, and my daughter’s
surveillance service would be a case in point of the kind of service they
want to enable.
Where my head tips is this. I see three kinds of traffic across that divide.
One is sessions originated from the network - I sent something to Netflix,
Facebook, or whoever, and it replied. The vast majority of residential
traffic, I would guess, falls in that category, and apart from electric mail
and traffic to business services to customers, I would guess that the vast
majority of legitimate enterprise traffic does as well. A second is sessions
originated from outside the network to services that the network intends to
offer - web access to www.example.com, incoming SMTP, my daughter’s
surveillance service (which is a web access), and so on. The third is
“everything else” - traffic that wasn’t invited and has no application, and
perhaps no host, to respond to it.
The first works in almost any case - a firewall that prevents you from
running an application you want to run isn’t going to last very long. The
second is trivially allowed for by a firewall rule or PCP/UPnP exchange, and
if there is an application (set-top box or whatever) in the home that wants
to allow for such a service, it can fire off the request. The third - what is
the argument for letting that into my home or enterprise network?
And I tend to think that the conversation breaks down at that point. Everyone
agrees on the first and second. When someone says “I want to block the
third”, the response is “but I want to allow the second” without
acknowledging or commenting on the third. And I just find myself shaking my
head in disbelief. Wouldn’t it be nice of both speakers in the conversation
would address the same subject?
I should have included one more aspect in the third set. That is traffic
disallowed by policy. Current top-of-mind in security circles includes NTP
attacks - someone sends a message with a spoofed source address to an NTP
server, which now sends something to that address every mumble time units. In a
home, the counterpart might be a media server - something I have and intend to
be used by people in my home. In such cases, while the application and server
it runs on exist, it is not intended for use by folks “outside”. So once again,
traffic to it “from outside” is uninvited and has no application, and perhaps
no host, *intended* to respond to it.
And again I ask - sure, we all agree on category 1 and 2 - accesses to services
from within and permitted access to services from without - but what’s the
argument for allowing the third category into the network?
signature.asc
Description: Message signed with OpenPGP using GPGMail