misunderstanding scale (was: Ipv4 end, its fake.)

Cb B cb.list6 at gmail.com
Sun Mar 23 19:24:35 UTC 2014

On Sun, Mar 23, 2014 at 12:13 PM, Mark Tinka <mark.tinka at seacom.mu> wrote:
> On Sunday, March 23, 2014 09:05:54 PM Cb B wrote:
>> i would say the more appropriate place for this policy is
>> the printer, not a firewall.  For example, maybe a
>> printer should only be ULA or LLA by default.
>> i would hate for people to think that a middle box is
>> required, when the best place to provide security is in
>> the host.  Other layers are needed as required, but it
>> is sad that we don't look to the host it self as a first
>> step.
> I would support adding security at the host-level,
> especially because with a centralized firewall, internal
> infrastructure is usually left wide open to internal staff,
> with trust being the rope we all hang on to to keep things
> running.
> However, if pratical running of the Internet has taught us
> anything, host-based firewalling (especially in purpose-
> specific devices like printers, Tv sets, IP phones, IP
> cameras, e.t.c.) is a long way away from what you can get
> with a centralized firewall appliance.
> Do I like it? No. I run a simple packet filter (IPfw) on my
> MacBook - it does what I need. But we know Joe and Jane
> won't want things they can't click; and even though they had
> things they could click, they don't want to have to
> understand all these geeky things about their computers.
> Mark.

Mark, i think we are largely on the same page.

I believe that "home firewalls" in the residential broadband space are
likely the most insecure part of the entire internet.  They are very
rarely updated with software and frequently ship with terrible
terrible bugs, much worse than what we have seen in Windows for the
last 10 years.

For example,


Why try to hack all the devices in your home when the hackers can
simply crack your CPE / firewall / router and own all your traffic,
reset your DNS server to a malware box, .....  I am sure this
community knows there are many many more problems just like this one
in CPE.

I don't see a lot of accountability or change in this space, yet
people believe these firewalls help.

My hope is that folks stop equating firewalls with security, when the
first step is to secure the host, accountability is with the host,
then layer other tools as needed.


More information about the NANOG mailing list