nanog mailing list archives
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
From: Joe Greco <jgreco () ns sol net>
Date: Fri, 11 Dec 2009 07:36:39 -0600 (CST)
Mark Newton wrote, on 2009-12-11 03:09:You kinda do if you're using a stateful firewall with a "deny everything that shouldn't be accepted" policy. UPnP (or something like it) would have to tell the firewall what should be accepted.That's putting the firewall at the mercy of viruses, worms, etc. The firewall shouldn't trust anything else to tell it what is good and bad traffic.
Everyone knows a NAT gateway isn't really a firewall, except more or less accidentally. There's no good way to provide a hardware firewall in an average residential environment that is not a disaster waiting to happen. If you make it "smart" (i.e. UPnP) then it will of course autoconfigure itself for an appropriate virus. However, your average home user often doesn't change their $FOOGEAR password from the default of 1234, and it is reasonable to assume that at some point, viruses will ship with some minimal knowledge of how to "manually" fix their networking environment. Or better yet? Runs a password cracker until it figures it out, since the admin interfaces on these things are rarely hardened. If you actually /do/ a really good firewall, then of course users find it "hard to use" and your company takes a support hit, maybe gets a bad reputation, etc. There's no winning. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Current thread:
- Re: Consumer Grade - IPV6 Enabled Router Firewalls., (continued)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Seth Mattinen (Dec 02)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Michael Loftis (Dec 10)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Owen DeLong (Dec 10)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Chris Adams (Dec 10)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Simon Perreault (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Valdis . Kletnieks (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Simon Perreault (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Simon Perreault (Dec 12)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joe Greco (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Simon Perreault (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mikael Abrahamsson (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Chris Adams (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joe Greco (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joel Jaeggli (Dec 13)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Michael Loftis (Dec 13)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Owen DeLong (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Owen DeLong (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. gordon b slater (Dec 14)