Arguing against using public IP space

Tue Nov 15 18:56:10 UTC 2011

> On Tue, 15 Nov 2011, Joe Greco wrote:
> > Or perhaps a better argument would be that routers really ought to
> > default to deny.  :-)  I'd be fine with that, but I can hear the
> > screaming already.
> 
> er.  you've forgotten "en; conf t; ip routing" to turn off the default "no 
> ip routing" (or "no ip forwarding" is my memory, but my config archive 
> says otherwise)
> 
> so we had default to deny in routers for a long time....

My bad.

But seriously, now, I'm going to wander a bit far to make a point that
I hope people get.

In the '90's, during the rapid ISP growth era, one of the local policies
here was that all boxes should be protected by a competent on-box 
firewall.  The problem with this was that it was tough to implement in 
practice, since for the most part, boxes varied in interface 
configuration, etc., etc.  Writing a custom ruleset for each box was 
nearly prohibitive.

I also had clients where I saw similar problems.  You'd see all sorts of
pseudo-strange rulesets being written, and wildly differing policies about
things like ssh, etc., which made administration a challenge too.  But a
large percentage seemed to go firewall-free.  Bleh.

So as part of the standard build, I designed an automatic firewall script
that basically looked at the system IP configuration, derived reasonable
defaults, and then allowed an abstract policy to be specified, such as

TCP_ALLOW="80 443"

and the rest was automatic.  This may seem trivial to many of you, and I
will even concede that it *should* be, but the point is that by having
this installed by default, it made it MORE annoying to disable the
firewall than it was to create a simple configuration for it.  So suddenly
all servers built through the build scripts reliably had firewall rules
in place.  I know some readers here may still be using variations on those
scripts, and they've served us well over the years too.

Now I want to stress the point here:  It wasn't that there was this magic 
firewall script, because to be sure some engs still rolled their own for 
various reasons.  The point is that SOME firewall was going to be running.
And that's the desired result.

In any case, to bring the discussion home, I suspect that part of the
problem with routers and fw rules is that there's a lack of a "default to
being firewalled".  Because it's hard to do that and do it right without
also being so painful that an admin just installs a "pass all" rule to
get things working, and then forgets about it all.

Those of you who work for large service providers or enterprises and have
this all worked out - well, I'm not talking about you, of course.  You
have incentive and motivation to get this kind of thing working on your
fleets of a thousand routers.  Great.  But it's still a problem for many
others.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.