[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CPE equipments and stateful filters



> >> 	but i suggest that we need to be REAL careful about the default
> >> 	settings.
> 
> > I agree. But the market reality (and we heard it explicitly from a
> > well known CPE vendor at the microphone) is that they will not sell
> > $50 consumer gateways that allow incoming unsolicited SYN or UDP
> > by default. We need to make realistic recommendations in that context.
> 
> Hm, but another vendor, better known for other stuff, but also  
> selling fine CPEs, presented a draft, and he told us that one of the  
> reasons they decided to flip their default from no filtering to  
> rejecting incoming sessions is that the IETF has consensus that this  
> is the best approach.

	i do not remember seeing IETF consensus on this matter.

> Personally, I would love to see firewalls and other devices that  
> think they know better what's good for me than I do die a violent  
> death, but then again, there is lots of stuff out there that can't  
> handle being connected to the unfiltered internet and doing exactly  
> that without 5 years or so of countering "you need a firewall"  
> indoctrination and replacing it with "you need to run a safe-out-of- 
> the-box OS" won't do us any favors.

	we have been telling people about it, not via IETF channel.  in short:
	- with firewalled environment morale to administer individual machines
	  go down, and they will left unpatched
	- then VPN and laptop throw in viruses and bots into organization
	  (it is from inside so firewall has no use)
	- hence you need to purchase host firewalls and anti-virus products
	- and you have to keep updating virus signature files

	if you use OS that is secure enough, you do not have to worry about
	NONE of the above.  so you got so much lower costs in operation.

	if you happened to pick OpenBSD and need some commercial support,
	of course there are: http://www.openbsd.org/support.html
	i heard Microsoft is undergoing a serious audit of Vista, i'm not
	too sure about the outcome, but i guess we can hope.
 
> At this point, it looks like the best option is to have an extremely  
> light-weight protocol that allows OSes (applications?) to open up  
> these filters that are going to be present in default configurations  
> so that only hosts that feel they're secure get unfiltered access to  
> the network while other stuff is prevented from shooting itself in  
> the foot.

	again, complexity of UPnP on top of complexity of firewall.
	remember "KISS princile"?

itojun