On 01/09/2018 01:40 PM, Neal P. Murphy wrote:
I would say lack of awareness is the main reason they resist. The same lack of awareness and the dearth of easy-to-admin firewalls is the main reason there are still so many bot nets, so much malware, and so many miscreants around the internet. Another reason is that far too many people believe that end-to-end encryption will solve most of the problems of the internet; but they are wrong. TLS-everywhere has one major drawback; it prevents owners of private internets (like you and me) from detecting and blocking malware and micreants from crossing our perimeter firewalls. The correct solution is host-to-gateway, gateway-to-gateway, and gateway-to-host encryption; OE would allow owners and operators of private networks to prevent malware and miscreants from entering--and leaving--their networks.
It would be good to have that for certain metadata but not for content.
It's clearly wrong for the gateway at some hotel where I'm checking my
email to have access to the plaintext of the email. And it's not as if
the gateway can do any magic content-based malware detection that
couldn't be done on the endpoints.
But it would be useful for the gateway to at least know what services
are being used. You know there shouldn't be any CIFS or NFS traffic
across the public internet.
Sadly the people using outgoing default deny have screwed us all. All it
takes is for a large enough minority to block everything but TLS/443 for
everyone to respond by using TLS/443 for everything, and then you can't
distinguish any of it. Which leaves everyone worse off than having
outgoing default allow with specific exceptions for services known to be
problematic.
- DROP all internet-side traffic to and from private addresses unless you know that there are some
private LANs between you and the actual internet.
A good way to do this is to add "unreachable" routes for all the private
address ranges using the worst possible metric, and enable reverse path
filtering. Then private addresses don't go to the default route
(internet) but if a private network is directly connected or has a
specific route it still works.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
