[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
Mark;
Good points all. I agree, host firewall is evolving fast, and will be more
and more commonly deployed in the future.
But are you suggesting that the NAP draft, in an effort to push peer-to-peer
"all the way", advocate removing edge firewalls and ACL in favor of only
deploying distributed firewalls? I think that would be going way to far.
The best way to pry NAT out of the hands of IPv4-oriented security managers
is to make the case *for* stateful firewalls over NAT routers - not to try
to suggest, at this stage, that even the stateful firewalls should be pulled
in favor of having the end nodes use host firewalls to support peer-to-peer
networking in the purest sense.
Spence
----------------------------
> While it might appear to be a semantic argument, I don't
> think host firewalls are breaking end-to-end.
>
> In simple terms, I think that end-to-end is another way of
> expressing the classic cliche, "If you want something done
> properly, you need to do it yourself."
>
> When it comes to reliable data delivery, trustworthy
> security, or service availability limitations (e.g.,
> firewalling) the node which "wants the job done properly" the
> most is the end-node itself. Intermediary devices, such as
> routers, usually service more than one end-node, and
> therefore generally can't be trusted to have the same
> interest "in the job being done properly" as each of the end
> nodes themselves.
> Additionally, they usually don't have enough information to
> be sure that they are doing the "proper job".
>
> In the case of host based firewalling, the host itself is the
> most knowledgeable regarding what its firewalling requirements
> are, and therefore is the best device to perform that
> firewalling. An additional advantage of host based
> firewalling is that it is network topology independent. This
> is going to matter more and more as mobile devices, such as
> laptops, have multiple wired and wireless interfaces.
>
> This may sound theoretical; interestingly, host based
> firewalling capability is pretty much already a reality
> today. All major OSes (*nix, MS, Apple, etc.,) are coming
> with a firewalling capability out of the box, commonly
> defaulted to "on". Additionally, it is in every "desktop"
> OS, rather than just special nodes such as servers, as the OS
> "manufacturer" couldn't be sure that there would be an
> upstream, intermediary firewalling device. OS manufacturers
> have decided that each and every individual device has to be
> responsible for its own firewalling. Firewalling is already
> evolving towards the end-to-end model.
>
> (Arguably, even host based firewalling isn't true end-to-end.
> In reality, it is the applications themselves that have more
> knowledge of their security requirements than the Host OS,
> and therefore they should be executing security functions
> themselves. For example, SSH implements security within the
> application, and therefore host or network firewalling, based
> on network IP(v4|v6) identity or location and transport layer
> port numbers, isn't really that necessary for SSH)
>
> Regards,
> Mark.
>
> --
>
> The Internet's nature is peer to peer.