On 07/01/2014 04:19 PM, Christian Huitema wrote: >> I should have included one more aspect in the third set. That is >> traffic disallowed by policy. Current top-of-mind in security >> circles includes NTP attacks - someone sends a message with a >> spoofed source address to an NTP server, which now sends something >> to that address every mumble time units... > > Presumably, your firewall could have some kind of source address > verification that takes care of such spoofing. > > As for "diode firewalls," they can be bypassed trivially using ICE, > STUN, etc. Does that really count as "the firewall being bypassed"? -- If it requires collaboration from the inside, I wouldn't count that as "bypassing". A simple diode firewall essentially prevents e.g. trivial address-scanning from the outside. And in the light of IoT, where you might have devices with buggy code (including "default passwords that were never changed") that maybe never get patched/updated, even such a simple policy is probably useful. Cheers, -- Fernando Gont e-mail: fernando@xxxxxxxxxxx || fgont@xxxxxxxxxxxxxxx PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1