Re: Simple Security - Layered Filtering should be in the document

[Gert Doering <gert@space.net>]

Hi,

On Thu, Jul 30, 2009 at 11:56:17PM -0700, Gregory M. Lebovitz wrote:
> Sure. If all the valuable possessions in my home were unremovably 
> bolted to the floor, and it was impossible for anyone without the 
> retinal patterns and fingerprints of my direct family and invited 
> friends to tough any of those things, then yes, I would have no need 
> for the locks on my home's doors. Likewise, if hosts were perfect at 
> protecting themselves and the network infrastructure between them 
> across all subnets, then there would be no need for network perimeter 
> filters.

That's actually missing the point.  

This analogy isn't going to work as you would need to envision a 
"tunneled" burglar who would only be able to steal or touch enything 
if there is someone inside who "un-tunnels" the burglar.

On all common OSes, a tunneled packet will just be ignored unless a 
specific un-tunneling device is configured - and if you configure
such an interface, it's reasonable to assume that you want to receive
these packets (IPSEC comes to mind).

Don't forget we're not talking about enterprise maximum annoyance^Wsecurity
policy enforcement devices but about "simple security for home networks".

Gert Doering
        -- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  128645

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279