On Mar 12, 2012, at 2:44 AM, Roger Jørgensen wrote: > About security for end-users, why should it be deny by default? It don't > really rise the security level by much since virus/trojans get in through > user initiated action, and out again just as easy in the background.
>From my perspective, there is a question of what is being defended and of >defense in depth, and a question of market requirement. I agree that a firewall of any kind doesn't defend the host, since the vast majority of attacks come from behind the firewall. What a firewall defends is primarily the bandwidth within the defended domain - which would be best done if the firewall was at the ISP (before the typical bottleneck link). However, it does prevent certain kinds of messages from getting to a host that don't have a reason to get there. The net effect is to make the attack surface of the host smaller from the perspective of attacks from the outside - the attack has to thread two needles, not just one. The general argument against "default deny" is that it prevents legitimate traffic from reaching the host. I'll argue that this is exactly the right model for traffic that the host has no application to process - traffic that look legitimate but isn't because of the set of applications running on the host. Take, for example, a host that is prepared to operate as an http client but not a server; a packet directed to an http server on it is going to be refused by the host, and could be refused anywhere in the path. The problem with something that is literally "default deny" is that it needs a way to identify and apply rules like "sending smtp to smtp.example.com is reasonable". I'll argue that protocols like PCP are reasonable ways to do that; "default deny" plus PCP does *not* prevent legitimate traffic from getting to the host, but it does prevent unwanted traffic from arriving at the host. You'll ask why I care. I care for two reasons. First is a personal experience. At my home, I have a standing load of about 25 (plus or minus) packets per second that are discarded by the firewall. I don't know what they are, and I don't honestly care. They don't have my permission to be in my network, and I have to assume that if they were to get into it, the hosts in my network would have to deal with them. Second and more importantly, this came up with James Woodyat was building the Airport Express IPv6 capability for Apple, and is the reason that he wrote what is now RFC 6092. He released a product that provided an IPv6 CPE router, and his marketing department came back and told him that a firewall capability was a market requirement for such a product - "if you don't build it, we can't sell it." Now, you can argue that it *shouldn't* be a market requirement; I'll let you tilt at that windmill if you like. Cisco is building IPv6 firewalls as well, and various other folks are. The reason is not that we want to run out and sell folks on the idea. It's that people tell us that they won't buy our networks without them. _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
