On 8/2/11 8:28 AM, "Keith Moore" <[email protected]> wrote:
>On Aug 2, 2011, at 4:22 AM, Philip Homburg wrote: > >> How do you construct a router such that the router always knows what it >> has to do, or at least is in some sense fail-safe? > >The idea that a firewall should automatically know what "it has to do" >strikes me as utterly bizarre. I realize that there's a desire to >minimize the configuration burden for unsophisticated users (and agree >with that), but the idea that the firewall knows better than the user >what his security policy should be seems ridiculous. [jjmb] I agree Keith that having a firewall automatically know what to do is a tall order. I also think the is more than a desire to ease configuration burden, this is a must since most users on the Internet have very basic technical skills. > >A different idea is that the firewall always work in a very minimal mode >by default (e.g. it passes no traffic, or maybe only outgoing port 80 >traffic, but its configuration interface is enabled for the internal >ports) so that the user must configure it in order to get it to do >anything useful. That way, the first thing a user learns about his >router/firewall is how to configure it. Then you want to focus on making >the configuration interface easy to understand. (You also have to figure >out how to keep the user from hooking up the internal port to the >external connection.) [jjmb] I said something similar to this is in an earlier email. To the start there should perhaps be a basic configuration that protects the user and allows the service to be usable. > >But these are user interface issues, not protocol issues. Perhaps >they're better addressed in homenet than here. [jjmb] I could image some protocol work that could ease the pain here, UI for sure could facilitate ease of use. > >Keith > >_______________________________________________ >v6ops mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/v6ops _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
