On Mar 14, 2012, at 3/14 1:11 AM, Cameron Byrne wrote:
> On Tue, Mar 13, 2012 at 8:29 PM, Ashok Narayanan <ash...@cisco.com> wrote:
>>
>> On Mar 13, 2012, at 3/13 9:16 PM, Cameron Byrne wrote:
>>
>>
>>> That's reality, and much as I love the e2e principle I think the ordinary
>>> citizen is better off behind default-deny.
>>>
>>
>> I am not trying to be dense, but why?
>>
>> What is the negative scenario of not having a homenet firewall on? Using
>> real examples from the last 5 years .... I would like to know how a cpe
>> firewall protects against real threats to modern software.
>>
>> It seems hard to predict a priori what a "real threat" is going to be. And
>> it seems unlikely that "modern software" is all that will be found in
>> average homes. For example, will the Android version on the refrigerator
>> display be updated?
>>
>
> Agreed about a priori. BUT! what else do we have to go on? I am
> asking for a baseline to justify why a CPE firewall is required. In
> fact, i have asked for it multiple times on this thread, and all i get
> back is anecdotal hand waving, not technical reasons.
>
> Putting the E back in IETF, let's see some data about why this
> function of the system must exist.
>
> My cursory research says you are not going to be able to present a
> convincing amount of data to support the fact that a stateful
> inspection firewall should be applied in a contemporary home
> environment. I believe the spirit of Homenet is moving the internet
> forward without being beholden to the Morris worm and X.25
So as a thought experiment, does your hypothesis hold for any sort of
{firewall|NAT|blocking-device}? In other words, are you unconvinced that any
sort of centralized connection-management/protection device at the home edge is
not required? Or are you specifically unhappy about a SPI firewall?
>
> You mention Android running on the refrigerator, as if i am supposed
> to be concerned about that? Can you cite an example of an Android
> security flaw that a CPE firewall would have ever prevented? My
> guess is no, android does not listen on any ports (default
> non-root)... thus no inbound connections... thus... stateful firewall
> does not have a technical justification for obstructing e2e flows.
Doesn't that translate to "I haven't seen any security flaws in Software X so
far, so it is inconceivable that it would ever occur". This is proof by example.
>
> If you want to talk about rooted devices running BIND 4.0, well...
> that person that is wise enough to manually do that i likely wise
> enough to allow the relevant firewall rules or PCP interactions to
> allow the bad guys in as well.
No, I don't agree. The customer may well not even know that a device in his
home is running old/compromised software.
This is a classic separation-of-costs problem. The product developer has to
weigh off security of his firmware (audits, continuous updates, etc) against
development cost. The thing that is most visible to the consumer is cost, with
security being a nebulous "nice-to-have". Hence, the product developer is
incentivized to cut costs by not doing the things he needs. This is not
universal, but common enough.
>
>>
>>> Personally I haven't run without an on-board firewall since I got my
>>> first wireless card (late 1999?). But we can't assume that applies to
>>> every home device.
>>>
>>
>> Most PC software has shipped with a firewall on for the last ~10 years
>>
>> And these have to be then managed, and the triggers for "should this flow be
>> allowed" will then transition to the PC as opposed to the CPE. Did the
>> system become any simpler, really?
>>
>
> I think there is some 3rd party off the shelf software that does these
> pop-ups.... but the PCs i run with native firewalls have never popped
> up to me like that. But, i agree... pop ups are not helpful.
>
> As an end user, i can proudly say i have a host based firewalls, but i
> have not once ever administered one (except sometimes i turn off the
> FW so i can ping my PC)
Again, proof by example. Can you make the same statement about not-as-clueful
family members? I for one get phone calls from my mom (in Washington DC) every
time her Norton firewall pops up a window.
But that's not the point, really, since the issue of permissions exists for
firewalls anywhere. The protection role of a NAT/firewall is not so much to
protect home computers (since they are capable of protecting themselves). It's
to protect non-computer networked devices.
>
>> But the real issue to my mind is _non-PC_ software; the firmware on some
>> power-line bridge written for the cheapest dollar by pulling together some
>> version of Linux because the device had to sell for $25. Not only do all
>> these devices now need firewalls (unlikely), they now need an easy way to
>> manage these firewalls (next to impossible).
>>
>
> power-line bridge?
>
> Once again, please paint for me a realistic scenario of how a CPE
> firewall will protect this device?
By blocking connections to a management port left open by a careless coder that
might allow a remote exploit to install DDoS software on it?
It doesn't solve all problems, but removes at least one attack surface.
>
> My first statement is that this device should not have a globally
> routable address, and therefore is not exposed to the internet, and
> does not need the CPE to filter for it. This is a good case for ULA
> in IPv6.
Sure, and that would be a nice solution to this problem at least in my mind -
simple and mostly effective. But there are other discussions on these lists
that specifically talk about _not_ doing this, as a way to get around issues
seen with NAT today.
>
> Second, crappy software should not be tolerated or compensated for in
> Homenet. Setting the president that flawed software is acceptable is
> a slippery slope to somewhere bad. If it takes making application and
> host security requirements for endpoint, so be it. Passing the buck
> to the CPE/Firewall to give the illusion of security is not the right
> path. Tolerating broken software is also not the right path.
A worthy goal, but kinda like saying "airbags give an illusion of security.
Speeding should not be tolerated". IOW, not gonna happen.
>
> Homenet is a unique opportunity to restore end to end ... or as some
> would say... the internet model.. Smart end points, dumb network.
>
> If we need a smart network, then lets make a real solid fact based
> exploration of threats and then we can select the appropriate
> compensating security controls.
>
> CB
>
>> -Ashok
>>
>> Cb
>>> Brian
>>> _______________________________________________
>>> homenet mailing list
>>> homenet@ietf.org
>>> https://www.ietf.org/mailman/listinfo/homenet
>>
>> _______________________________________________
>> homenet mailing list
>> homenet@ietf.org
>> https://www.ietf.org/mailman/listinfo/homenet
>>
>>
_______________________________________________
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet
