misunderstanding scale (was: Ipv4 end, its fake.)
Mark Tinka
mark.tinka at seacom.mu
Sun Mar 23 19:13:14 UTC 2014
On Sunday, March 23, 2014 09:05:54 PM Cb B wrote:
> i would say the more appropriate place for this policy is
> the printer, not a firewall. For example, maybe a
> printer should only be ULA or LLA by default.
>
> i would hate for people to think that a middle box is
> required, when the best place to provide security is in
> the host. Other layers are needed as required, but it
> is sad that we don't look to the host it self as a first
> step.
I would support adding security at the host-level,
especially because with a centralized firewall, internal
infrastructure is usually left wide open to internal staff,
with trust being the rope we all hang on to to keep things
running.
However, if pratical running of the Internet has taught us
anything, host-based firewalling (especially in purpose-
specific devices like printers, Tv sets, IP phones, IP
cameras, e.t.c.) is a long way away from what you can get
with a centralized firewall appliance.
Do I like it? No. I run a simple packet filter (IPfw) on my
MacBook - it does what I need. But we know Joe and Jane
won't want things they can't click; and even though they had
things they could click, they don't want to have to
understand all these geeky things about their computers.
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20140323/e35c45d4/attachment.sig>
More information about the NANOG
mailing list