Consumer Grade - IPV6 Enabled Router Firewalls.

Joe Greco jgreco at ns.sol.net
Fri Dec 11 07:36:39 CST 2009


> Mark Newton wrote, on 2009-12-11 03:09:
> > You kinda do if you're using a stateful firewall with a "deny
> > everything that shouldn't be accepted" policy.  UPnP (or something
> > like it) would have to tell the firewall what should be accepted.
> 
> That's putting the firewall at the mercy of viruses, worms, etc. The firewall
> shouldn't trust anything else to tell it what is good and bad traffic.

Everyone knows a NAT gateway isn't really a firewall, except more or less
accidentally.  There's no good way to provide a hardware firewall in an
average residential environment that is not a disaster waiting to happen.  

If you make it "smart" (i.e. UPnP) then it will of course autoconfigure
itself for an appropriate virus.

However, your average home user often doesn't change their $FOOGEAR 
password from the default of 1234, and it is reasonable to assume that 
at some point, viruses will ship with some minimal knowledge of how to 
"manually" fix their networking environment.  Or better yet?  Runs a
password cracker until it figures it out, since the admin interfaces
on these things are rarely hardened.

If you actually /do/ a really good firewall, then of course users find
it "hard to use" and your company takes a support hit, maybe gets a
bad reputation, etc.

There's no winning.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list