On Mar 12, 2012, at 2:44 AM, Roger Jørgensen wrote:
> About security for end-users, why should it be deny by default? It don't 
> really rise the security level by much since  virus/trojans get in through 
> user initiated action, and out again just as easy in the background.

>From my perspective, there is a question of what is being defended and of 
>defense in depth, and a question of market requirement.

I agree that a firewall of any kind doesn't defend the host, since the vast 
majority of attacks come from behind the firewall. What a firewall defends is 
primarily the bandwidth within the defended domain - which would be best done 
if the firewall was at the ISP (before the typical bottleneck link).

However, it does prevent certain kinds of messages from getting to a host that 
don't have a reason to get there. The net effect is to make the attack surface 
of the host smaller from the perspective of attacks from the outside - the 
attack has to thread two needles, not just one.

The general argument against "default deny" is that it prevents legitimate 
traffic from reaching the host. I'll argue that this is exactly the right model 
for traffic that the host has no application to process - traffic that look 
legitimate but isn't because of the set of applications running on the host. 
Take, for example, a host that is prepared to operate as an http client but not 
a server; a packet directed to an http server on it is going to be refused by 
the host, and could be refused anywhere in the path. The problem with something 
that is literally "default deny" is that it needs a way to identify and apply 
rules like "sending smtp to smtp.example.com is reasonable". I'll argue that 
protocols like PCP are reasonable ways to do that; "default deny" plus PCP does 
*not* prevent legitimate traffic from getting to the host, but it does prevent 
unwanted traffic from arriving at the host.

You'll ask why I care. I care for two reasons.

First is a personal experience. At my home, I have a standing load of about 25 
(plus or minus) packets per second that are discarded by the firewall. I don't 
know what they are, and I don't honestly care. They don't have my permission to 
be in my network, and I have to assume that if they were to get into it, the 
hosts in my network would have to deal with them.

Second and more importantly, this came up with James Woodyat was building the 
Airport Express IPv6 capability for Apple, and is the reason that he wrote what 
is now RFC 6092. He released a product that provided an IPv6 CPE router, and 
his marketing department came back and told him that a firewall capability was 
a market requirement for such a product - "if you don't build it, we can't sell 
it." Now, you can argue that it *shouldn't* be a market requirement; I'll let 
you tilt at that windmill if you like. Cisco is building IPv6 firewalls as 
well, and various other folks are. The reason is not that we want to run out 
and sell folks on the idea. It's that people tell us that they won't buy our 
networks without them.
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet

Reply via email to