Arguing against using public IP space

Tue Nov 15 22:13:32 UTC 2011

> ----- Original Message -----
> > From: "Joe Greco" <jgreco at ns.sol.net>
> 
> > And some products, say like FreeBSD (which forms the heart of things
> > like pfSense, so let's not even begin to argue that it "isn't a
> > firewall") can actually be configured to default either way.
> 
> By Owen's definition, it's not.

Then Owen's definition is wrong, because the vast majority of "firewall"
devices out there are software-based devices.

> > So basically, while we would all prefer that firewalls default to deny,
> > it probably isn't as important a distinction as this thread is making
> > it out to be, because even a "default to deny" firewall fails when a
> > naive admin makes a typo and allows all traffic from 0/0
> > inadvertently. It's just a matter of statistical likelihood.
> > 
> > Or perhaps a better argument would be that routers really ought to
> > default to deny. :-) I'd be fine with that, but I can hear the
> > screaming already.
> 
> But you're missing an important point here, Joe: we're not talking about
> default configuration... we're talking about *failure modes*, which are by
> definition unpredictable.

But I'm *not* missing the point.  You missed mine.  The fact of the 
matter is that routers don't come with firewall-by-default, we've 
failed to find ways to make it easier for people to firewall things 
properly than it is to open the gates.  Or even notice that their 
gates are wide open.  That's a problem.

> All you can really do there is figure the probabilities... and the probability
> is that a *router-based* firewall (which as you and I agree, is a helluva lot
> of firewalls) will *be more likely* to fail into pass traffic mode than into
> don't pass traffic mode.

That depends on too many factors to really be able to make that call.
On the equally cutting side for NAT proponents, there are some attacks
against NAT devices that often succeed that shouldn't.

I'm not trying to defend the firewall thing.  That discussion is boring
and dull, it's about the state of one bit, as I pointed out, which is
the NANOG equivalent of how many angels can dance on the head of a pin.
I was merely taking what seemed to be a good opportunity to point out
that there's a more abstract failing here, which is that we have failed
to make it easy to firewall by default.  I don't mean "default to
blocking packets."  I mean that we've failed to make it easy for router
owners to do abstract things like say "this network's a bunch of
clients, and should be statefully firewalled for outbound connections
only" and make it as easy (or easier) to do that than it is to open
the connection wide open.  Failing to put roadblocks in place where
you could have roadblocks makes a network easier to penetrate.  But I
think I've made my point.

The obvious, real, clear problem with many SCADA networks is that 
they're built out of garbage, with garbage software stacks, with no
apparent thought given to security.  On the Internet, we've typically
dealt with that sort of stuff by beating it senseless (open SMTP relay,
etc) and then replacing it.  Adding layers to protect the "soft gooey
center", as someone put it, helps, of course, but is only a band-aid
solution.

Who here would go passwordless on their OOB management network?  

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.