[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: R41 in draft-ietf-v6ops-cpe-simple-security-07

At the risk of repeating a banality, "the only safe thing" is defense in
depth. We need to both have applications secure themselves, and, where
possible, require the CPE to provide additional protection.

And I'll second Remi's opinion, a firewall that can be manipulated by
malware is better than no firewall at all. Microsoft's native firewall adds
security to the host even though applications can punch holes through it.

Thanks,
	Yaron

> -----Original Message-----
> From: owner-v6ops@ops.ietf.org [mailto:owner-v6ops@ops.ietf.org] On Behalf
> Of Mark Smith
> Sent: Tuesday, August 04, 2009 13:53
> To: Rémi Denis-Courmont
> Cc: Mark Baugher; Brian E Carpenter; james woodyatt; IPv6 Operations
> Subject: Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
> 
> On Tue, 04 Aug 2009 08:56:54 +0200
> Rémi Denis-Courmont <remi@remlab.net> wrote:
> 
> >
> > On Mon, 3 Aug 2009 21:02:43 -0700, Mark Baugher <mbaugher@cisco.com>
> wrote:
> >
> > > Manual config can at least be authenticated.  Conficker reportedly
> >
> > > uses UPnP NAT traversal on IPv4 home networks and could have just as
> >
> > > easily used NAT-PMP.  So we're recreating this issue in IPv6 unless we
> >
> > > authenticate such requests.  How much worse off are we with no
> >
> > > firewall than with one where practically any piece of malware can open
> >
> > > it.
> >
> >
> >
> > That's just NOT TRUE. Typically the trust between your CPE and your
> >
> > computer comes ENTIRELY from the fact that the computer is behind the
> CPE.
> >
> > If you computer is already infected, then you are already screwed.
> >
> > Certainly the CPE should protect itself from the computer, but it cannot
> >
> > protect the rest of the internal network, especially not the already
> >
> > infected computer.
> >
> >
> >
> > As for UPnP-IGD and NAT-PMP... if Conficker is already behind the CPE,
> it
> >
> > can use UDP or make outbound connections anyway. The hole punching
> protocol
> >
> > just makes it more slightly more convenient for the worm.
> >
> >
> 
> Completely agree.
> 
> Looking at netbooks with wired, wifi, bluetooth, and 3G or Wimax
> connectivity, or Smartphones with wifi, 3G or Wimax connectivity, the
> only safe thing to do is to have each host protect itself, because at
> any time there could be multiple candidate access methods for
> Internet access (and IEEE 802.21 (described in the recent Internet
> Protocol Journal) is trying to make which one is currently being used
> transparent). Even better is to have the applications protect
> themselves, like ssh does ("If you want something done properly, you
> need to do it yourself").
> 
> 
> 
> 
> Scanned by Check Point Total Security Gateway.

Attachment: smime.p7s
Description: S/MIME cryptographic signature