On 11/22/2016 06:54 PM, Lorenzo Colitti wrote:
On Tue, Nov 22, 2016 at 5:34 PM, james woodyatt <[email protected] <mailto:[email protected]>> wrote:The recent IoT DDoS publicity is a good example; the devices that are the Mirai botnet are devices that had/have open ports facing the internet.Not quite, c.f. <https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/ <https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/>> The vast majority of those devices were protected from receiving inbound flows over public Internet routes by the stateful filters of IPv4/NAT gateways.... and this knowledge is not new. The conficker paper <https://seclab.cs.ucsb.edu/media/uploads/papers/torpig.pdf> from 2009 found that "144,236 (78.9%) of the infected machines were behind a NAT, VPN, proxy, or firewall". We should know this by now :stateful firewalls do not protect against malware.It’s not about reducing attack surfaces. It’s about making systems that are safe for deployment in close proximity to humans. +1
I'm glad I'm not the only one who is somewhat dubious of the importance of the All Mighty Maginot^H^H^H^H^H^HFirewall in this day and age. Trivial mobility (eg, phones, etc), for one, really launches big old rocks at a firewall's assumption of We and They.
Is there some set of standards/bcp's that describe how, say, a light bulb controller can create a completely private network for the light bulbs that is specifically not routed to the Internet, where that the light bulb controller acts as an ALG to those bulbs? That seems more of what I want than where each individual light bulb has to hope that some firewall protects it from the mean old internets.
Mike
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
