See comments inline: On Jul 3, 2014, at 9:54 AM, Fernando Gont <fernando@xxxxxxxxxxx> wrote: On 07/03/2014 11:20 AM, Phillip Hallam-Baker wrote:Yes firewalls do suck, but one of the reasons they suck a lot worse than This can also be considered the other way around as well. [...]Outbound traffic is relatively easy to deal with. All the firewall needs Such restrictions do little to prevent data exfiltration. Even DNS can be used and is fairly difficult to block. [....]Note that this is moving beyond firewalls. Firewalls are a weak security Agreed, but not all devices permit such a strategy. Take a fairly common all-in-one fax/scanner/printer/media-reader as an example. It seems protecting network perimeters will become more difficult, although IPv6 technology is able to greatly improve upon this situation. The following draft attempts to highlight some of the issues created by overly simplistic approaches. One desire is to automatically place mDNS resources into a homenet automated DNS permitting globally routable sessions to be exchanged within a local network while at the same time expecting use of multiple prefixes. Who would want to receive a bill for international faxes sent night after night? Or having their Internet-Ready TV with video conferencing spy on them? Some of these devices will not receive timely updates, if ever. Even obtaining source code may require owners to cover costs while still not repairing vulnerabilities. In too many cases, establishing a solid perimeter remains essential and is likely to remain the case for many years into the future. Regards, Douglas Otis |