On Mar 13, 2012, at 10:11 PM, Cameron Byrne wrote: > My cursory research says you are not going to be able to present a convincing > amount of data to support the fact that a stateful > inspection firewall should be applied in a contemporary home environment.
I don't recall anyone saying that a "stateful inspection" firewall was specifically called for. I think we argued that there is a market expectation that a firewall is at least available, and that however the firewall is implemented, it should prevent simple attacks from "outside" the network (I will argue "network layer attacks" as opposed to combing through bits in layers above). As we get into the specifics of kinds of firewalls, I think we're treading even more heavily on people's religion. As to "kinds of firewalls", I have a posted draft (which I think I mentioned), which might be discussed in opsawg and might be discussed in the Security Area meeting. I haven't heard a decision on that. I would suggest we defer to that discussion. However, as far as *this* draft goes, I think that it is fair to say that - a CPE Router MAY include a firewall function. - IF such a function is implemented, it MUST be possible to disable it, reducing the CPE to a simple router. (my rule on the use of "MUST": I use the term when failing to do so breaks something, and I try to say what breaks. In this case, a CPE Router that has a firewall that can't be turned off cannot be used as an interior router in the home network) - IF it is a "deny all" firewall, it SHOULD have a means of providing access rules for services inside the home, such as allowing SMTP to an SMTP server or ISP access to a set-top box. PCP or other protocols like it MAY be used to achieve that. - IF it is a role-based firewall, it SHOULD have a means of configuring and using roles. - IF it is a stateful inspection, reputation-based, or anomaly detection firewall, it SHOULD have a way to maintain the indicated tables such as periodic download of signed files from a trusted site. _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
