On 07/01/2014 01:55 PM, Fred Baker (fred) wrote:
That is a place I have well and truly scratched my head regarding
the firewall discussion in the IETF. There’s a set of people,
including me, that think that firewalls have a certain levee of
utility and in any event are a business requirement.
FWIW, I'm in this camp.
Where my head tips is this. I see three kinds of traffic across
that divide. One is sessions originated from the network - I sent
something to Netflix, Facebook, or whoever, and it replied. The
vast majority of residential traffic, I would guess, falls in that
category, and apart from electric mail and traffic to business
services to customers, I would guess that the vast majority of
legitimate enterprise traffic does as well. A second is sessions
originated from outside the network to services that the network
intends to offer - web access to www.example.com, incoming SMTP, my
daughter’s surveillance service (which is a web access), and so on.
The third is “everything else” - traffic that wasn’t invited and
has no application, and perhaps no host, to respond to it.
The first works in almost any case - a firewall that prevents you
from running an application you want to run isn’t going to last
very long. The second is trivially allowed for by a firewall rule
or PCP/UPnP exchange, and if there is an application (set-top box
or whatever) in the home that wants to allow for such a service,
it can fire off the request. The third - what is the argument for
letting that into my home or enterprise network?
Could you provide an example of this "third" traffic?
And I tend to think that the conversation breaks down at that
point. Everyone agrees on the first and second. When someone says
“I want to block the third”, the response is “but I want to allow
the second” without acknowledging or commenting on the third. And
I just find myself shaking my head in disbelief. Wouldn’t it be
nice of both speakers in the conversation would address the same
subject?
I guess the fos arguing "but I want to allow the second" really mean
"I want to allow the second with no manual configuration or
upnp-kind-of-thing"?
Thanks,
--
Fernando Gont
e-mail: fernando(_at_)gont(_dot_)com(_dot_)ar ||
fgont(_at_)si6networks(_dot_)com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1