The Apple marketing department had some external input - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1338
On 3/13/12 3:25 PM, "Fred Baker" <f...@cisco.com> wrote: >On Mar 12, 2012, at 2:44 AM, Roger Jørgensen wrote: >> About security for end-users, why should it be deny by default? It >>don't really rise the security level by much since virus/trojans get in >>through user initiated action, and out again just as easy in the >>background. > >From my perspective, there is a question of what is being defended and of >defense in depth, and a question of market requirement. > >I agree that a firewall of any kind doesn't defend the host, since the >vast majority of attacks come from behind the firewall. What a firewall >defends is primarily the bandwidth within the defended domain - which >would be best done if the firewall was at the ISP (before the typical >bottleneck link). > >However, it does prevent certain kinds of messages from getting to a host >that don't have a reason to get there. The net effect is to make the >attack surface of the host smaller from the perspective of attacks from >the outside - the attack has to thread two needles, not just one. > >The general argument against "default deny" is that it prevents >legitimate traffic from reaching the host. I'll argue that this is >exactly the right model for traffic that the host has no application to >process - traffic that look legitimate but isn't because of the set of >applications running on the host. Take, for example, a host that is >prepared to operate as an http client but not a server; a packet directed >to an http server on it is going to be refused by the host, and could be >refused anywhere in the path. The problem with something that is >literally "default deny" is that it needs a way to identify and apply >rules like "sending smtp to smtp.example.com is reasonable". I'll argue >that protocols like PCP are reasonable ways to do that; "default deny" >plus PCP does *not* prevent legitimate traffic from getting to the host, >but it does prevent unwanted traffic from arriving at the host. > >You'll ask why I care. I care for two reasons. > >First is a personal experience. At my home, I have a standing load of >about 25 (plus or minus) packets per second that are discarded by the >firewall. I don't know what they are, and I don't honestly care. They >don't have my permission to be in my network, and I have to assume that >if they were to get into it, the hosts in my network would have to deal >with them. > >Second and more importantly, this came up with James Woodyat was building >the Airport Express IPv6 capability for Apple, and is the reason that he >wrote what is now RFC 6092. He released a product that provided an IPv6 >CPE router, and his marketing department came back and told him that a >firewall capability was a market requirement for such a product - "if you >don't build it, we can't sell it." Now, you can argue that it *shouldn't* >be a market requirement; I'll let you tilt at that windmill if you like. >Cisco is building IPv6 firewalls as well, and various other folks are. >The reason is not that we want to run out and sell folks on the idea. >It's that people tell us that they won't buy our networks without them. >_______________________________________________ >homenet mailing list >homenet@ietf.org >https://www.ietf.org/mailman/listinfo/homenet _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
