On 07/08/11 16:08, Russ White wrote:
In one hand, we want the capability to reach anywhere we're allowed to from
home. OTOH, if anything in my home is reachable from anywhere, we are back to
the firewall paradigm.
Why? You are still back to all the security disadvantages of firewalls - soft
chewy inside, etc. Reachability does not convey access authorization. Devices
must either protect themselves directly or delegate that protection to a proxy
of some sort (*not* necessarily a firewall).
It seems like to me we're making things very complex (?)... In any given
network, there needs to be some amount of policy. Some of that policy is
best centralized, some of it is best distributed. And more than one
layer of defense is always better than only one layer of defense (though
you can go overboard in the other direction).
Take a house for instance... You have locked doors, and yet you still
have passwords. You have passwords and safes, yet you still have locked
doors... It's always a question of where the most efficient spot is to
implement any bit of policy/security, not whether or not that
policy/security is needed.
Whether the policy that's needed is on something called a "firewall," or
a "bridge between multiple control planes," or... It doesn't matter.
Policy is policy.
Or maybe I don't understand the question... :-)
Your analysis is spot on.
Yes, firewalls will happen. CPE routers, at least the ISP-managed
variety, will ship with those on by default.
No, firewalls don't necessarily break end-to-end connectivity. Not as
badly as NAT does.
Indeed, the average user cannot be expected to manually administer a
firewall.
Yes, there are solutions (e.g. UPnP IGD) that manage IPv4 port
forwarding and IPv6 firewall pin-holing without user intervention. Is
that secure? It's as secure as allowing someone already inside your
house to open the door to let someone else in. Whether you want to allow
that is a matter of policy; you generally don't want that in a military
facility, you do want it in a residence. If you want to keep criminals
out of your house, disabling the ability to open the front door from the
inside is the wrong approach.
Removing the front door, just to be sure that the milkman can deliver
milk straight to your fridge, and the electricity company guy can read
your meter while you're not home, is not the best policy in most parts
of the world either.
Indeed, none of this needs to be particularly complicated. Everybody
understands your house and locked doors metaphor. Being able to open
the front door from the inside is not the problem of the company that
sells front doors with locks and security bolts, and that is understood
by everyone. People are perfectly content with the soft, chewy inside
nature of their homes.
Like you, I don't understand why this issue should be so contentious.
People who want to run complex services inside their homes normally have
the expertise to perform a manual policy change. Those are the people
who are managing just fine today to set up manual port forwardings on
residential gateways. That is the exception case; it must be possible,
but not automatic.
bfn, Wouter
--
Architect Core Gateway SoftAtHome R&D RGW http://www.softathome.com/
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
