Re: CPE equipments and stateful filters

[Fred Baker <fred@cisco.com>]

On Jul 23, 2007, at 2:36 PM, Jun-ichiro itojun Hagino wrote:
> Fred raised concerns about DoS attack, but if you run secure OS you  
> do not have to worry about that.

Part of this relates to the concept of a "secure OS". I think the  
security experts in the room will tell you that the only truly secure  
devices is one in which no electrons are moving. One cannot actually  
say that "there is no way to successfully attack X"; one can only say  
that any such exploits are currently unknown for a system at the  
appropriate patch level and with the right configuration. That said,  
my observation was not limited to DOS attacks, although those are  
part of the discussion. My comment had to do with the integrity of  
networks people provide for themselves, and the view of the network  
as something to secure in its own right.

In my view, people in residences and in companies provide for  
themselves the things they think they need. Not everyone provides the  
same things, and not everyone views the things they provide the same  
way. For example, my wife's mother would happily give up her kitchen  
and eat out; my wife provides a kitchen in our home because she wants  
to be able to cook for herself.

In my home, I provide two wired networks and two wireless ones. One  
pair is for me (Cisco information security guidelines require my home  
office to be separate from my home), and the other pair is for my  
family. They meet at an Ethernet hub and a cable modem, the latter  
being my ISP's service demarc. My company makes similar provisions  
for itself, including 8 DMZs worldwide, an extensive internal network  
that would rival many ISPs, and interconnections with a large number  
of providers. Those networks are my and my company's property, just  
as much as the grass in my lawn covers my physical property.

Yes, the integrity of any device, physical or virtual, is in the  
final analysis its own concern, and computers need to be hardened to  
provide good computational security. A large percentage of attacks, I  
am told, come from within one's own organization. That said, it is  
also appropriate for a family or company to expect its neighbors to  
observe their property boundaries, and it is very reasonable for them  
to provide a first line of defense at those boundaries. As I said in  
the meeting, this should not preclude services that they have agreed  
should be offered in their homes or on their premises, and should not  
preclude business-to-business communications under appropriate  
governance. I will agree with Alain that a customer of an ISP should  
be able to easily let the ISP provide the services they have  
contracted, and this should be accomplished with a minimum of fuss  
and bother. But my home is not an extension of my ISP any more than  
my company is an extension of its ISPs. It is a network and there is  
a defined NNI between them. For services that the ISP has not  
contracted with me, I see no reason to allow the ISP into my home.

That's not an unfriendly statement, by the way. My neighbors come  
into my home after knocking on the door too. They are both welcome in  
my home and expected to knock.

I compare this to the defenses of the human body. One could argue  
that if every cell were robust enough, disease would be unknown, and  
in the presence of assistants like white blood cells, T-cells, and so  
on, they body has no need of a prophylactic defense. All true, and  
the fact is that those systems work pretty well. Even so, the body is  
provided with a skin - a firewall - that keeps a good percentage of  
the obvious out of it and in so doing exposes and uses those defenses  
less. I suspect that it does so both because defense in depth is a  
proven strategy and because keeping the junk out is less costly than  
curing the ills it creates.

I think the right solution is an authenticated access protocol. If  
UPnP is publicly documented, fine, if James' protocol is the best  
bet, fine, and if it is something else, so be it. But a protocol that  
allows one to identify oneself and gain admittance on authorization  
provides for the concerns that you have. Someone from within can  
access out, the governing contract being the authorization to do so,  
and on AAA confirmation access in is granted, which enables someone  
with legitimate access privileges to access what they are authorized  
to access.

Someone once said that "good fences make good neighbors". I think  
they were wise.

If in your home you want to provide open access - no doors and no  
locks - no problem. That's your policy. It's just not mine, and not  
that of very many of my customers.