In message <dcc302faa9fe5f4bba4dcad4656937791451334...@prvpexvs03.corp.twcable.com> "Howard, Lee" writes: > I've had some of these arguments before, but I'll write them down now > so there's a record. Maybe we should document the debated points in > a discussion draft, so we could invite further comment. > > > And, most (cite?) actual attacks are not preventable with a $30 home > > router. Most (cite?) homenet security issues are relate to phishing > > and users downloading and installing malware with admin privilege, > > which PCP and stateful firewalls cannot solve. > > Port scanning is largely blocked by stateful firewalls. Thus it's not > the prevention of actual attacks, but the fact that attacks don't > exist because they're useless given the existence of firewalls.
Its absurd for companies to put firewalls in and then use that as an excuse to run tftp to load images or configuration. If you as a company get someone good to do a security audit, they will do port scans for you and tell you what, if anything, is a potential problem. For enterprise, using a firewall instead of doing this just means that as soon as one PC is running malware, that exposure is wide open. > > > So service providers are compelled to put firewalls in front of > > > consumer customers (and even most small business) and have them > > > enabled by default. > > btw, I realize we operated from different assumptions. My default > view is that the customer manages the gateway/firewall, not the ISP > (or maybe in addition to the ISP). So in my world view, it's clear > that the user (or host, or application) sets the security policy, > which is enforced by the firewall. So if one OS believes it is > invulnerable, it can signal the firewall to allow all traffic to it. > If another OS wants defense in depth, it can signal the firewall to > allow only wanted traffic. You may s/OS/app. Some MSOs install a router with firewall enabled. Most will cheerfully disable it completely on request. I got a MSO business service and it took a while before they disabled it *and* saved the config so it didn't come back, even though I kept telling them they needed to do that. It was a small battle to get them to turn off their NAT, their firewall, their DHCP, and then a bit of a larger battle to get them to do rDNS. > > Is there proof that $30 home routers protect computers and "move the > > needle" on malware? Or is this left over mindset from the 1990s? > > I argue they hold the needle on malware, and there's no reason to make > it easier to attack ignorant users. There are a lot of retired people where I live and many will tell you that they think its time to upgrade their windows 98 PC. They *need* someone to put up a firewall for them. > Somebody else once said: > > There are no attacks in IPv6, what are we protecting against? > > We should design security in before there are attacks, not wait and > see what gets attacked. > > To be constructive, I would like home routers (or at least home border > gateways) have a "default deny" security policy, which can be > overriden by user configuration or signaling from internal hosts that > traffic is wanted. "Signaling" could be PCP, uPNP, SYN, etc. > > Lee Agree. For consumer and small business, firewall enabled is a reasonable default. I would not like to see it recommended in an RFC unless it was explained why the sorry state of PC software has made it a necessary evil, at least for now. Curtis _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
