I'd like to get away from the worshipping of end-to-end (which I
genuflect at that altar as much as anyone), and bring it back to reality
slightly, amplifying a bit on some bits I've seen in parts of this long
thread.  I think Stuart Chesire pointed out remotely in the Philadelphia
ftf meeting that attack surface is a real issue, and I think it is a
rapidly growing issue.

Here's reality:

o the number of devices has been growing exponentially in people's
houses: first it was one machine, then one/person, and now it's the
TV(s), BluRay player(s) phones, NAS boxes, TiVO, Roku Box, Apple TV, and
often more than one computer/person, IP camera(s), thermostat(s) (I just
ordered a Nest to play with), printers, etc. This is the concrete
example of my house, but even the grandparent's house I visit isn't that
far behind, with around 3 laptops and a TiVO and a printer.

More and more of these devices are "legacy" devices already that sit and
rot without software updates (concrete example: the NAS box I have which
hasn't seen a software update now in about 3 years).  This is a huge
problem, but not one this working group can undertake.  Certainly the
consumer electronics Linux efforts are trying to help this problem via
the Linux foundation efforts.

But I don't think this problem is going to go away, and certainly not in
my lifetime.  Even if rotting hardware didn't exist, and it all had the
right UI's to let you control its access, you're asking the poor home
manager to learn the management UI on all devices just to ensure the
right policies are in case: this means there is essentially *zero*
chance of succeeding.

o there are certain policies I really want to enforce: the one that Dave
Taht and I ran into last week installing the latest CeroWrt was the
following: to ensure that Microsoft file services were *not* accessible
by default to the outside; we had a bug that it was accessible via IPv6.

My reasoning is the following:  the RIAA would like me to legally liable
for accidental sharing of my CD collection that I've digitised.  So I
really want to prevent this accidental sharing of a misconfigured laptop
or NAS box; I really, really want to make sure it fails, so that my door
is not left "unlocked" by accident.  And there is lots of other personal
data I'd also not like to share.  So despite the fact that this is at
best a half-measure, when we detected that via IPv6 the default firewall
rules allowed such access on CeroWrt, Dave set it to deny, and I expect
that that is what most people will want/need.  In fact, for my NAS
device, I really want to ensure that *all* ports are blocked from
outside, since it's OS has been rotting and its attack surface grows
with almost every passing day.

So I'm not interested in default-deny in general; but I sure want to be
able to easily do deny-all or deny a particular service to particular
devices, or particularly insecure protocols to everyone (e.g. microsoft
file sharing).  For our general laptops, which are kept decently up to
date, I probably *do* want almost all ports open (with the exception
again of things like file sharing services, for the reason given above).

This is yet another example of the *primary* utility of firewalls;
reduce the attack surface, particularly to vulnerable systems, and  to
try to prevent things getting *out*, rather then coming in.  In my
example, I just want to be able to appear in court and say to the judge:
"my door was locked".  As a way of keeping things out: we know that
doesn't work in general; at most firewalls can reduce the attack surface
from the outside.

Ok, what have I been thinking about doing for CeroWrt, that is more nuanced?
==============================================

I've been thinking about this problem a lot this week, as I need to put
time based controls to help my son control his game playing, have been
thinking about visibility of internal names to the global internet, and
how to ensure diffserv is handled properly (if the home gateway has no
controls over diffserv for users, then it will be gamed to uselessness
by applications/devices).  I'm writing this lengthy message in part as
it's helping me to make my thinking concrete.

I'm really not worried about someone using my printer from outside: I
suppose that they can waste some paper and toner, and if that becomes a
problem, I'll put other (per person) access control on it.  But for
printer devices, I'll want a policy that opens my IPv6 capable printer
to the world on some protocol, so I can easily print from anywhere. 
Since it's firmware is not frequently updated by HP, I probably want all
other ports "closed", just to reduce it's attack surface.  I don't know
if the printer has an internal firewall or not...

For actively maintained laptops/phones, I'll want a policy that allows
pretty much full access, with the exception of file sharing, where I'll
want my kids and wife to have to come see me to do anything out of the
ordinary (until we have file sharing protocols  that enforce strong
authentication).

On top of this basic policy, I may want to add the time based control
for my son.

My NAS box(es) I want default deny all, until/unless someone can sell me
one (or I set one up myself) that does both strong authentication and is
auto-updating its system.

Similarly, depending on the update rate of the firmware and how general
the device is, I may have other nuanced policies I'd like to have the
firewall enforce.

OK, where does this leave me?

o having a firewall at all is necessary, if only to try to protect
myself from the RIAA and rotting devices in my home.  My primary systems
are mostly kept up to date and wander all over the Internet, between
work and school.

o knowing what class of device it is may help a lot in setting the
firewall rules.  It might be useful to define a protocol that devices
can inform the environment what they are to automate this, but something
like that isn't going to happen any time soon and then presents yet
another way to attack the system.

So I need a way to associate a device (IP address or mac address) with a
particular default rule (e.g. file server, printer, thermostat, camera
and so on).  On top of that I may have other access rules (e.g. no
public internet access at all for my son after he should be in bed, so I
can stop losing sleep every night).  So it may be a device belongs to
more than one class of device.  You can think of a laptop as something
which can be any class of device...  But the user of that laptop may
need other policies ;-).

o end users can't have to know about port numbers or firewall rule
languages; gotta do something pretty simple.

o firewall rules that are global to all devices aren't what I want: I
need to set the rules on a per-device basis.

o because of attack surface issues, saying "just put devices into a DMZ"
is an insufficient answer as those devices may not have actively
maintained firmware and I want to reduce the attack surface against
those devices.  It isn't clear to me what a DMZ buys other than more
complication.  So on the KISS principle, I want to avoid DMZ's.

o keeping track of all devices in my home has become a real problem: I
want my home router to keep track of all MAC addresses it sees; from
that (the physical device), I can associate a policy.

So we'll see where I get to on all this.  But it's a lot easier to think
about these problems if you are actually trying to solve them
yourself... (Hint... Hint...  Hint.... Help very welcome!).
                        - Jim











_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet

Reply via email to