RE: Last Call: 'NAT Behavioral Requirements for Unicast UDP' to BCP (draft-ietf-behave-nat-udp)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I agree that separating out the NAT and firewall functions is useful and
necessary. Even if the two functions are performed by the same box they
should be considered separately.

I don't think that the idea of zero configuration firewalls should be
dismissed. A firewall is simply a policy enforcement point, usually
located at the border where the network meets the Internetwork.


First people have the model wrong, ask not how you can protect yourself
from the Internet, ask how to protect the Internet from you.

There are huge numbers of insecure machines connected to the Internet.
And yes, even Linux machines are vulnerable. Your desktop may be patched
against the latest attacks but you probably have a machine used as a
printer/file/DNS server sitting in the corner that has not had any
maintenance for three years.

A reverse firewall with simple protection rules to protect the Internet
from a rogue server should be part of the default configuration of every
gateway device. Let people turn it off if their use model requires it.
But very very few people need to have a machine that has a use signature
that remotely resembles a DDoS bot or a spambot.

Eventually I am going to persuade one of the major ISPs to make such a
feature a requirement in the cable modems / wifi routers / dsl modems
they buy. I am pretty sure that failing to do so would constitute
negligence - certainly the Hands formula indicates a duty of care here.


In the future every NIC, router, hub and wifi access point will be a
policy enforcement point. Policy configuration on the enforcement device
is going to be impractical.

The obvious solution is to use a standards based protocol such as
SAML/XACML to encode the rules, sign them and distribute them to the
enforcement points.

There is no reason why this should not be possible in the home
environment. If we start by assuming that there is some form of
trustworthy hardware, that cannot be stomped on by malicious code it
becomes obvious that the network config can be made plug and play. The
only thing the user has to do is to decide what applications can and
cannot connect up to the network and/or Internetwork and the uses to be
made.

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]