[120167] in North American Network Operators' Group
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Fri Dec 11 08:08:09 2009
To: Simon Perreault <simon.perreault@viagenie.ca>
In-Reply-To: Your message of "Fri, 11 Dec 2009 07:41:59 EST."
<4B223E17.3040201@viagenie.ca>
From: Valdis.Kletnieks@vt.edu
Date: Fri, 11 Dec 2009 08:06:53 -0500
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1260536813_4439P
Content-Type: text/plain; charset=us-ascii
On Fri, 11 Dec 2009 07:41:59 EST, Simon Perreault said:
> Mark Newton wrote, on 2009-12-11 03:09:
> > You kinda do if you're using a stateful firewall with a "deny
> > everything that shouldn't be accepted" policy. UPnP (or something
> > like it) would have to tell the firewall what should be accepted.
>
> That's putting the firewall at the mercy of viruses, worms, etc. The firewall
> shouldn't trust anything else to tell it what is good and bad traffic.
What you suggest? Manual configuration? We *know* that if a worm puts up
a popup that says "Enable port 33493 on your firewall for naked pics of.."
that port 33493 will get opened anyhow, so we may as well automate the
process and save everybody the effort.
Redesigning the security so that human intervention is required isn't worth
the effort, because the black hats are much better at convincing people to
do something than the white hats are at teaching them why they shouldn't do it.
Probably because we don't teach with naked pics of...
--==_Exmh_1260536813_4439P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFLIkPtcC3lWbTT17ARArCzAKDuCQymF7MM+3r0ODo/GNSEzY5HwwCeLYxV
W80YXeSvN4+M+GjtUp3/fLY=
=70SZ
-----END PGP SIGNATURE-----
--==_Exmh_1260536813_4439P--
