[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: simple security

Lee,

 

I agree. To amplify on your position, I offer the following. Many jurisdictions have draconian statues defining illicit Internet activity, e.g., child pornography, and associated stringent penalties, e.g., lengthy incarceration. If there is a perception that the use of IPv6 unique globally routable unicast addresses (UGA) increases a consumer’s risk of inadvertently violating one of the statute because a compromise of their home systems or network, adoption of IPv6 by consumers will be minimal.

 

In addition, applying simple security controls such as least functionality is both sound and responsible. Specifically, if home networks are not supporting servers, e.g., web sites, then there is no need to allows sessions associated with servers to be initiated by Internet hosts.

 

Best Regards,
 
Jeffrey Dunn
Info Systems Eng., Lead
MITRE Corporation.

(301) 448-6965 (mobile)

 

From: owner-v6ops@ops.ietf.org [mailto:owner-v6ops@ops.ietf.org] On Behalf Of Lee Howard
Sent: Tuesday, March 23, 2010 10:02 AM
To: v6ops@ops.ietf.org
Subject: simple security

 

The simple-security draft represents the best practice we know of for securing home networks.  It describes the behavior that should be the default for all home networking gateways.  Advanced users who know what they're getting into can change those default rules.

 

Some people argued that a stateful firewall is no longer needed because attackers no longer use vectors that a firewall protects against.  This sounds like circular reasoning to me, as if you no longer need a roof because rain hasn't fallen on your head  for years.

 

It was also argued that attacks of this kind simply don't exist in IPv6.   That sounds like the argument that faults in the space shuttle o-ring haven't caused explosions before, so it's safe.  I'll also point out that OSes with smaller market share have fewer exploits written for them because they are a smaller target; as IPv6 exceeds 50%, there will be more attacks.

 

I disagreed at the mike with the argument that ISPs should be doing this kind of filtering themselves.  I'd like to understand that argument better.  If ISPs should be providing stateful firewall service, then doesn't that support the need for a draft documenting what ISPs should do?  

 

Yes, hosts should provide better security for themselves.  In some regions, users install three or four security packages on their computers, but even their almost 50% of machines are infected.  Blocking the easiest paths to exploits using perimeter security is current best practice, and should be documented as such.

 

Lee