+1 Agree with Lee. Best regards, Hans
Sent from Hans' iPad2 On Oct 22, 2011, at 5:22 AM, "Howard, Lee" <[email protected]> wrote: > I've had some of these arguments before, but I'll write them down now > so there's a record. Maybe we should document the debated points in > a discussion draft, so we could invite further comment. > >> And, most (cite?) actual attacks are not preventable with a $30 home >> router. Most (cite?) homenet security issues are relate to phishing >> and users downloading and installing malware with admin privilege, >> which PCP and stateful firewalls cannot solve. > > Port scanning is largely blocked by stateful firewalls. Thus it's not the > prevention of actual attacks, but the fact that attacks don't exist because > they're useless given the existence of firewalls. > >>> So service providers are compelled to put firewalls in front of >>> consumer customers (and even most small business) and have them >>> enabled by default. > > btw, I realize we operated from different assumptions. My default view > is that the customer manages the gateway/firewall, not the ISP (or maybe > in addition to the ISP). So in my world view, it's clear that the user (or > host, or application) sets the security policy, which is enforced by the > firewall. So if one OS believes it is invulnerable, it can signal the > firewall > to allow all traffic to it. If another OS wants defense in depth, it can > signal the firewall to allow only wanted traffic. You may s/OS/app. > >> Is there proof that $30 home routers protect computers and "move the >> needle" on malware? Or is this left over mindset from the 1990s? > > I argue they hold the needle on malware, and there's no reason to make > it easier to attack ignorant users. > > Somebody else once said: >> There are no attacks in IPv6, what are we protecting against? > We should design security in before there are attacks, not wait and see > what gets attacked. > > To be constructive, I would like home routers (or at least home border > gateways) have a "default deny" security policy, which can be > overriden by user configuration or signaling from internal hosts that > traffic is wanted. "Signaling" could be PCP, uPNP, SYN, etc. > > Lee > > This E-mail and any of its attachments may contain Time Warner Cable > proprietary information, which is privileged, confidential, or subject to > copyright belonging to Time Warner Cable. This E-mail is intended solely for > the use of the individual or entity to which it is addressed. If you are not > the intended recipient of this E-mail, you are hereby notified that any > dissemination, distribution, copying, or action taken in relation to the > contents of and attachments to this E-mail is strictly prohibited and may be > unlawful. If you have received this E-mail in error, please notify the sender > immediately and permanently delete the original and any copy of this E-mail > and any printout. > _______________________________________________ > homenet mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/homenet _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
