[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]

To: "John Spence, CCSI, CCNA, CISSP" <jspence@native6.com>
Subject: Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
Date: Wed, 6 Apr 2005 12:33:22 +0930
Cc: v6ops@ops.ietf.org
In-reply-to: <200504060207.j3626rpm020034@hestia.native6.com>
References: <42528394.3090304@zurich.ibm.com> <200504060207.j3626rpm020034@hestia.native6.com>

Hi John,

On Tue, 5 Apr 2005 19:06:47 -0700
"John Spence, CCSI, CCNA, CISSP" <jspence@native6.com> wrote:

> 
> This is a good discussion - I'm refining my views on this based on all your
> comments.
> 
> -------- on edge firewalls and proxies ...
> 

<snip>

  Even with distributed (host) firewalls,
> breaking end-to-end is actually a goal - just a selective goal.  I break
> end-to-end for some connection types and call it "protection" - other
> peer-to-peer services I allow.
> 

(not sure if this is off topic for the list, apologies if it is)

While it might appear to be a semantic argument, I don't think host
firewalls are breaking end-to-end. 

In simple terms, I think that end-to-end is another way of expressing the
classic cliche, "If you want something done properly, you need to do it
yourself."

When it comes to reliable data delivery, trustworthy security, or
service availability limitations (e.g., firewalling) the node which "wants
the job done properly" the most is the end-node itself. Intermediary
devices, such as routers, usually service more than one end-node, and
therefore generally can't be trusted to have the same interest "in the
job being done properly" as each of the end nodes themselves.
Additionally, they usually don't have enough information to be sure that
they are doing the "proper job".

In the case of host based firewalling, the host itself is the most
knowledgable regarding what its firewalling requirements are, and
therefore is the best device to perform that firewalling. An additional
advantage of host based firewalling is that it is network topology
independant. This is going to matter more and more as mobile devices,
such as laptops, have multiple wired and wireless interfaces.

This may sound theoretical; interestingly, host based firewalling
capability is pretty much already a reality today. All major OSes (*nix,
MS, Apple, etc.,) are coming with a firewalling capability out of the
box, commonly defaulted to "on". Additionally, it is in every "desktop"
OS, rather than just special nodes such as servers, as the OS
"manufacturer" couldn't be sure that there would be an upstream,
intermediary firewalling device. OS manufacturers have decided that each
and every individual device has to be responsible for its own
firewalling. Firewalling is already evolving towards the end-to-end
model.

(Arguably, even host based firewalling isn't true end-to-end. In
reality, it is the applications themselves that have more knowledge of
their security requirements than the Host OS, and therefore they should
be executing security functions themselves. For example, SSH implements
security within the application, and therefore host or network
firewalling, based on network IP(v4|v6) identity or location and
transport layer port numbers, isn't really that necessary for SSH)

Regards,
Mark.

-- 

    The Internet's nature is peer to peer.

Follow-Ups:
- RE: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
  - From: "John Spence, CCSI, CCNA, CISSP" <jspence@native6.com>

References:
- Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- RE: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
  - From: "John Spence, CCSI, CCNA, CISSP" <jspence@native6.com>

Prev by Date: RE: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
Next by Date: RE: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
Previous by thread: RE: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
Next by thread: RE: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
Index(es):
- Date
- Thread