[120170] in North American Network Operators' Group
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
daemon@ATHENA.MIT.EDU (Simon Perreault)
Fri Dec 11 08:41:50 2009
Date: Fri, 11 Dec 2009 08:41:01 -0500
From: Simon Perreault <simon.perreault@viagenie.ca>
To: Joe Greco <jgreco@ns.sol.net>
In-Reply-To: <200912111336.nBBDadtt073162@aurora.sol.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Joe Greco wrote, on 2009-12-11 08:36:
> Everyone knows a NAT gateway isn't really a firewall, except more or less
> accidentally. There's no good way to provide a hardware firewall in an
> average residential environment that is not a disaster waiting to happen.
>
> If you make it "smart" (i.e. UPnP) then it will of course autoconfigure
> itself for an appropriate virus.
>
> However, your average home user often doesn't change their $FOOGEAR
> password from the default of 1234, and it is reasonable to assume that
> at some point, viruses will ship with some minimal knowledge of how to
> "manually" fix their networking environment. Or better yet? Runs a
> password cracker until it figures it out, since the admin interfaces
> on these things are rarely hardened.
>
> If you actually /do/ a really good firewall, then of course users find
> it "hard to use" and your company takes a support hit, maybe gets a
> bad reputation, etc.
>
> There's no winning.
Agreed.
We have thus come to the conclusion that there shouldn't be a NAT-like firewall
in IPv6 home routers.
Thanks,
Simon
--
DNS64 open-source --> http://ecdysis.viagenie.ca
STUN/TURN server --> http://numb.viagenie.ca
vCard 4.0 --> http://www.vcarddav.org
