[AusNOG] IPv6 excuses

[Mark Andrews]

In message <5748E87F.2060106 at 0xc0dedbad.com>, Peter Fern writes:
> On 05/27/16 17:10, Mark Andrews wrote:
> > OSX has the host firewall on by default.
> 
> Did that happen some time in the last 12 months?  This certainly wasn't
> the case last time I checked.
> 
> >   Linux has host firewall
> > and depending upon the distro it many be on or off by default.  In
> > reality you don't need a host firewall for most things.  A simple
> > acl after accept is enough as you only have a single port open if
> > any at all.
> 
> The majority of Linux desktop distributions don't enable a host
> firewall, on server distributions, it's about an even split.  Ports open
> obviously depends on software installed and enabled.  ACLs or host
> firewalls need to be explicitly configured, desktop users may not even
> know what's running after package X pulls in dependency Y.
> 
> > e.g. TV's don't need to be listening on the net.
> 
> They don't need to be, but are they?  Now TVs support all sorts of
> streaming protocols, etc.  I have no idea what the quality of code is
> like on TV firmware.  And you can add streaming boxes, light bulbs, IoT,
> etc to the list.

Yes, they support all sorts of streaming protocols.  Lots of protocols
we use every day in browers and other applications.  Invariably the
boxes are using exactly the same libraries yet you are scare because
its in a streaming box instead of the browser.

> > What is needed is to build with concept that there is a hostile
> > environment out there and to validate all inputs before otherwise
> > using them.
> >
> > This is what we do with BIND.  We code assuming that there is nothing
> > between the server and the rest of the world.  We have machines
> > continually attempting to break it.  We issue advisaries when we
> > find a issue.  We assume there are blackhats inspecting every change
> > we make in a attempt to find a way in.  We also have thousands of
> > internal consistancy checks.
> 
> And this is a great philosophy, but how many developers/projects do you
> think adhere to it?

Lots actually.  It doesn't actually cost more to do it correctly.
 
> > If the ISP supplies the CPE then they need to source a CPE with
> > equivalent functionality which do exist. 
> 
> Indeed, and this is why my original question was, "What do the default
> firewalls look like on those modems [sic]?"
> 
> >>>  If manufacturers are selling consumer equipement that is incapable of
> >>> being exposed to the net directly they should be being fined for
> >>> selling substandard products and be forced to recall / provide updates.  
> >> Except that this is far removed from reality.
> > It shouldn't be.  We have strong consumer protection laws in this
> > country and we pay a premium for this.
> 
> Sure, but the fact is that there are more and more IP-enabled devices
> appearing in people's homes, and developer's skill/commitment to
> security varies wildly, and plenty of those devices simply *aren't*
> built or configured to be safely exposed to the Internet (partly fueled
> by the ubiquity of NAT for the last decade or more).  Wishing it wasn't
> so doesn't change the reality.

Being behind a NAT doesn't protect devices. All it takes is a single
compromised machine.  The same applies to firewalls.  Each and every
device needs to protect itself.
 
> IMO it's just safer for end users to firewall at the CPE.
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org