On Monday, May 15, 2006 12:07:09 PM -0700 "Hallam-Baker, Phillip" <pbaker@xxxxxxxxxxxx> wrote:
I agree that separating out the NAT and firewall functions is useful and necessary. Even if the two functions are performed by the same box they should be considered separately. I don't think that the idea of zero configuration firewalls should be dismissed. A firewall is simply a policy enforcement point, usually located at the border where the network meets the Internetwork.
Sure. But a policy enforcement point must necessarily be configured; otherwise, how is it going to know what policy to enforce?
First people have the model wrong, ask not how you can protect yourself from the Internet, ask how to protect the Internet from you.
No. Being a good neighbor is desirable, but does not replace protecting yourself from bad neighbors and evildoers.
A reverse firewall with simple protection rules to protect the Internet from a rogue server should be part of the default configuration of every gateway device. Let people turn it off if their use model requires it. But very very few people need to have a machine that has a use signature that remotely resembles a DDoS bot or a spambot.
What a "rogue server"? What distinguishes a ddos bot from a P2P file sharing application? What distinguishes a Windows virus from a krb524 client (hint: nothing; several network providers and common firewall configuration block outgoing UDP traffic to port 4444, with the result that getting krb4 tickets and AFS tokens doesn't work from inside such a network). Who updates the configuration on these filters as new applications and new malware appear?
Eventually I am going to persuade one of the major ISPs to make such a feature a requirement in the cable modems / wifi routers / dsl modems they buy. I am pretty sure that failing to do so would constitute negligence - certainly the Hands formula indicates a duty of care here.
I should be required to have a device which limits my ability to use the network connection I've paid for to a limited set of applications chosen by my network provider? That's not only insane; it would probably be legally very stupid for my network provider; by restricting what I'm allowed to do, they take some responsibility for what I do.
In the future every NIC, router, hub and wifi access point will be a policy enforcement point. Policy configuration on the enforcement device is going to be impractical.
I see you're among those who think users and customers should be required to enforce policy counter to their interests, and that the network should trust that they do so. One of the basic rules of distributed systems design is that service providers MUST NOT depend on clients to enforce policy for them, because anyone can make a rogue client.
There is no reason why this should not be possible in the home environment. If we start by assuming that there is some form of trustworthy hardware, that cannot be stomped on by malicious code it becomes obvious that the network config can be made plug and play. The only thing the user has to do is to decide what applications can and cannot connect up to the network and/or Internetwork and the uses to be made.
Except that the user won't get to do that; the user's network provider will, and users who want to do anything even a little strange will just completely lose, because they're not powerful enough to force their provider to accept different terms.
But for the moment, let's assume that doesn't happen. There's still a serious usability problem.
The ideal situation is for the network to become like a true utility - always there, completely invisible to the user except when it breaks, and they almost forget they have it because it _never_ breaks. Power's not invisible if I have to go make changes at the service entrance before I can plug in a new appliance. Water's not invisible if I have to ask the water company before I can install a new faucet. And it's been decades since you could only attach a telephone approved (and owned!) by the telephone company. Why should the network require that I reconfigure some device I don't even know exists before I can run a new application?
-- Jeff _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf