|
The simple-security draft represents the best practice we know of
for securing home networks. It describes the behavior that should be the
default for all home networking gateways. Advanced users who know what
they're getting into can change those default rules. Some people argued that a stateful firewall is no longer needed
because attackers no longer use vectors that a firewall protects against.
This sounds like circular reasoning to me, as if you no longer need a roof
because rain hasn't fallen on your head for years. It was also argued that attacks of this kind simply don't exist in
IPv6. That sounds like the argument that faults in the space
shuttle o-ring haven't caused explosions before, so it's safe. I'll also
point out that OSes with smaller market share have fewer exploits written for
them because they are a smaller target; as IPv6 exceeds 50%, there will be more
attacks. I disagreed at the mike with the argument that ISPs should be
doing this kind of filtering themselves. I'd like to understand that
argument better. If ISPs should be providing stateful firewall service,
then doesn't that support the need for a draft documenting what ISPs should do?
Yes, hosts should provide better security for themselves. In
some regions, users install three or four security packages on their computers,
but even their almost 50% of machines are infected. Blocking the easiest
paths to exploits using perimeter security is current best practice, and should
be documented as such. Lee |