nanog mailing list archives
Re: misunderstanding scale (was: Ipv4 end, its fake.)
From: Cb B <cb.list6 () gmail com>
Date: Sun, 23 Mar 2014 12:24:35 -0700
On Sun, Mar 23, 2014 at 12:13 PM, Mark Tinka <mark.tinka () seacom mu> wrote:
On Sunday, March 23, 2014 09:05:54 PM Cb B wrote:i would say the more appropriate place for this policy is the printer, not a firewall. For example, maybe a printer should only be ULA or LLA by default. i would hate for people to think that a middle box is required, when the best place to provide security is in the host. Other layers are needed as required, but it is sad that we don't look to the host it self as a first step.I would support adding security at the host-level, especially because with a centralized firewall, internal infrastructure is usually left wide open to internal staff, with trust being the rope we all hang on to to keep things running. However, if pratical running of the Internet has taught us anything, host-based firewalling (especially in purpose- specific devices like printers, Tv sets, IP phones, IP cameras, e.t.c.) is a long way away from what you can get with a centralized firewall appliance. Do I like it? No. I run a simple packet filter (IPfw) on my MacBook - it does what I need. But we know Joe and Jane won't want things they can't click; and even though they had things they could click, they don't want to have to understand all these geeky things about their computers. Mark.
Mark, i think we are largely on the same page. I believe that "home firewalls" in the residential broadband space are likely the most insecure part of the entire internet. They are very rarely updated with software and frequently ship with terrible terrible bugs, much worse than what we have seen in Windows for the last 10 years. For example, http://tools.cisco.com/security/center/mcontent/CiscoSecurityAdvisory/cisco-sa-20140110-sbd Why try to hack all the devices in your home when the hackers can simply crack your CPE / firewall / router and own all your traffic, reset your DNS server to a malware box, ..... I am sure this community knows there are many many more problems just like this one in CPE. I don't see a lot of accountability or change in this space, yet people believe these firewalls help. My hope is that folks stop equating firewalls with security, when the first step is to secure the host, accountability is with the host, then layer other tools as needed. CB
Current thread:
- Re: misunderstanding scale (was: Ipv4 end, its fake.), (continued)
- Re: misunderstanding scale (was: Ipv4 end, its fake.) Mark Tinka (Mar 22)
- Re: misunderstanding scale (was: Ipv4 end, its fake.) John Levine (Mar 22)
- Re: misunderstanding scale (was: Ipv4 end, its fake.) Mark Tinka (Mar 23)
- Re: misunderstanding scale (was: Ipv4 end, its fake.) Tore Anderson (Mar 23)
- Re: misunderstanding scale (was: Ipv4 end, its fake.) Mark Andrews (Mar 23)
- Re: misunderstanding scale (was: Ipv4 end, its fake.) Mark Tinka (Mar 23)
- Re: misunderstanding scale (was: Ipv4 end, its fake.) Philip Dorr (Mar 23)
- Re: misunderstanding scale (was: Ipv4 end, its fake.) Mark Tinka (Mar 23)
- Re: misunderstanding scale (was: Ipv4 end, its fake.) Cb B (Mar 23)
- Re: misunderstanding scale (was: Ipv4 end, its fake.) Mark Tinka (Mar 23)
- Re: misunderstanding scale (was: Ipv4 end, its fake.) Cb B (Mar 23)
- Re: misunderstanding scale (was: Ipv4 end, its fake.) Mark Tinka (Mar 23)
- Re: misunderstanding scale Denis Fondras (Mar 23)
- Re: misunderstanding scale Mark Tinka (Mar 23)
- Re: misunderstanding scale Karl Auer (Mar 24)
- Re: misunderstanding scale Mark Tinka (Mar 24)
- Re: misunderstanding scale William Herrin (Mar 24)
- Re: misunderstanding scale Michael Thomas (Mar 24)
- Re: misunderstanding scale William Herrin (Mar 24)
- Re: misunderstanding scale Joe Greco (Mar 24)
- Re: misunderstanding scale William Herrin (Mar 24)