Bill Sommerfeld writes: > On Thu, 2008-10-30 at 08:48 -0400, James Carlson wrote: > > However, NWAM is different, because it's going to invoke DHCP on its > > own. The administrator never really asked. It's likely that as NWAM > > matures, it'll invoke many other things on its own. > > That's very worrying.
I don't think it should be. By their very nature, "ease of use" (the bucket containing NWAM) and "security" (the one with filtering) are often at odds. We shouldn't be just worrying about it, but rather making sure that what the system does is predictable and reasonable. I think that enabling DHCP to punch through a default set of filters is probably a good thing; it passes those tests. I'm less certain that it's a good thing to punch through if the administrator was explicit in his desire to kill the protocol itself -- I think that's the case meem was driving at. > The administrator who cares about security will need either: a) to > understand what NWAM is doing or b) be able to disable it. They certainly can do both of those if that's what they want to spend their time doing. For what it's worth, the whole system is staggeringly complex and demanding total understanding of all of it as a matter of security might be a steep climb. > > There's probably a fair argument to be made to punch holes in the > > default firewall policy for explicitly configured services, but that > > argument is much harder to make for services run by some intermediary > > and where the firewall policies are explicit and from an administrator > > rather than some pre-packaged "default" set. > > The set of enabled-by-default services needs to be small enough that an > administrator capable of composing a packet filtering policy can be > expected to understand the ramifications of them being enabled by > default. ... it also needs to be wide enough so that automatic configuration and use of network services can take place without requiring users to bury their noses in admin guides. That's sort of the whole point of NWAM. In any event, I wasn't arguing against a strict default. I was arguing against violating explicit admin-specified filtering policy merely because some local service needing an exemption is enabled. Explicit configuration of filters should trump services. -- James Carlson, Solaris Networking <james.d.carlson at sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
