misunderstanding scale (was: Ipv4 end, its fake.)

Mark Tinka mark.tinka at seacom.mu
Sun Mar 23 19:13:14 UTC 2014


On Sunday, March 23, 2014 09:05:54 PM Cb B wrote:

> i would say the more appropriate place for this policy is
> the printer, not a firewall.  For example, maybe a 
> printer should only be ULA or LLA by default.
> 
> i would hate for people to think that a middle box is
> required, when the best place to provide security is in
> the host.  Other layers are needed as required, but it
> is sad that we don't look to the host it self as a first
> step.

I would support adding security at the host-level, 
especially because with a centralized firewall, internal 
infrastructure is usually left wide open to internal staff, 
with trust being the rope we all hang on to to keep things 
running.

However, if pratical running of the Internet has taught us 
anything, host-based firewalling (especially in purpose-
specific devices like printers, Tv sets, IP phones, IP 
cameras, e.t.c.) is a long way away from what you can get 
with a centralized firewall appliance. 

Do I like it? No. I run a simple packet filter (IPfw) on my 
MacBook - it does what I need. But we know Joe and Jane 
won't want things they can't click; and even though they had 
things they could click, they don't want to have to 
understand all these geeky things about their computers.

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20140323/e35c45d4/attachment.bin>


More information about the NANOG mailing list