[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: simple security
On 3/24/10 3:36 PM, Mohacsi Janos wrote:
At least according to Google's stats, the majority of users they see are
from from Free Telecom, none of which are behind a firewall.
On Wed, 24 Mar 2010, Mark Townsley wrote:
On 3/23/10 3:02 PM, Lee Howard wrote:
The simple-security draft represents the best practice we know of
for securing home networks.
It's not a best-practice, it's a best-guess.
Simple-security is being not being practiced at all on the vast
majority of IPv6 residential connections today.
I experience is different. The IPv6 capable CPEs mostly supporting
some form of firewalling. The dumb one's (only with 6to4) are not.
Firewalls drop packets that legitimate applications would otherwise
expect to be sent. They try also to drop packets from hackers. You can't
expect them to always get it right.
Advanced users know how to manually poke holes in firewalls, run the
right version of UPnP or NAT-PMP running, etc. Non-advanced users do
not. It's the non-advanced users that need protocols to "just work".
Firewalls make networking more frustrating, particularly for the
Non-firewalling might cause even more frustration. You might remember
case of pre SP2 Windows XP: you cannot update win XP without firewall
since by the time you started to download SP ar patches your operating
system was already compromised.... You might expect something similar
in the future over IPv6 also.. There is a need for firewalling! The
location of the firewall is a different story.
So, by definition there is a tradeoff here. As is the case for pretty
much every security measure in the world. Boarding a plane with or
without the shoe inspection, etc.
Sure, you could say that not being blown up is a feature in usability so
we should thank the TSP for making our traveling in the airport so much
Turn one on for those or don't put them on the global Ipv6 Internet.
But, don't turn it on for every device in the world in the process.
That's what I have been saying.
Yes, I know there are still OSes that will be compromised in a matter
of seconds on the open Internet. These, however, do not run IPv6.
With IPv6, we are really talking about Vista, Win 7, linux, and
macosx. All ship with IPv6 firewalls (except linux I suppose), and
far more secure IP stacks vs. that of ten years ago. All have tethers
back home for updates, in the event that a new exploit is found.
These firewalls are far more adaptive and secure than the "IPv6
I don't want any of these new IPv6-enabled OSes to think for a moment
that they can let their guard down just because they are plugged into
a firewalled residential gateway "most of the time".
I think differently. I wrote one of my previous e-mail. Think about
ipv6 capable, but somehow limited or crap devices:
- no longer supported but know to be vulnerable devices, servers
- devices without access control
You need firewalling on these case at the CPE or with dedicated firewall.
Your NAS should run link-local or ULA if you don't want it to reach the
outside world. If it needs a UGA for fetching its own updates, it
shouldn't allow any incoming connections on it. If you are an expert
user and want to setup accessing your NAS from the internet, you had
better be sure it can handle being on the Internet because you'll be
doing that anyway if you open a pinhole to it from your firewall.
"simple-security" is "simple-minded". It is based on a security-model
that is rapidly becoming obsolete, and comes at the cost of
complexity in both the RG, the host, and the applications that have
to try and work despite all the various rules for having their
As simple minded as the current CPE. The residential gateway users are
familiar with the the current IPv4 NAT behaviour. What they usuaally
expecting - something similar for IPv6:
1. longer IP address? - understandable, but I don't care.
2. No NAT? - ok I get reasonable amount of subnet from my provider -
If CPE copes with it, I don't mind.
3. No firewall? - what a hell? what will protect my
extra-precious-hacked NAS? - They will sell a separate firewall for
me? - No thanks!