nanog mailing list archives
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
From: Steven Bellovin <smb () cs columbia edu>
Date: Tue, 15 Dec 2009 00:10:58 -0500
On Dec 14, 2009, at 11:47 PM, Joel Jaeggli wrote:
Owen DeLong wrote:UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway. You don't need UPnP if you'r not doing NAT.wishful thinking. you're likely to still have a staeful firewall and in the consumer space someone is likely to want to punch holes in it.Yes, SI will still be needed. However, UPnP is, at it's heart a way to allow arbitrary unauthenticated applications the power to amend your security policy to their will. Can you possibly explain any way in which such a thing is at all superior to no firewall at all?I'm a consumer, I want to buy something, take it home, turn it on and have it work. I don't have an IT department. How the manufacturers solve that is their problem. As a consumer my preferences for a security posture to the extent that I have one are: don't hose me don't make my life any more complicated than necessaryI would argue that a firewall that can be reconfigured by any applet a user clicks on (whether they know it or not) is actually less useful than no firewall because it creates the illusion in the users mind that there is a firewall protecting them.Stable outgoing connections for p2p apps, messaging, gaming platforms and foo website with java script based rpc mechanisms have similar properties. I don't sleep soundly at night becasuse the $49 buffalo router I bought off an endcap at frys uses iptables, I sleep soundly because I don't care.
Precisely. And if you want to get picky, remember that "availability" is part
of the standard definition of security. A firewall that doesn't let me play
Chocolate-Sucking Zombie Monsters is an attack on the availability of that
gmae, albeit from the purest of motives.
No, I'm not saying that this is good. I am saying that in the real world, it
*will* happen.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
Current thread:
- Re: Consumer Grade - IPV6 Enabled Router Firewalls., (continued)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Chris Adams (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joe Greco (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joel Jaeggli (Dec 13)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Michael Loftis (Dec 13)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Owen DeLong (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Owen DeLong (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. gordon b slater (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Chris Adams (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mohacsi Janos (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joel Jaeggli (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Steven Bellovin (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joakim Aronius (Dec 15)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton (Dec 15)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joakim Aronius (Dec 16)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Owen DeLong (Dec 15)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Matthew Moyle-Croft (Dec 02)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Alexandru Petrescu (Dec 12)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mohacsi Janos (Dec 13)