[120258] in North American Network Operators' Group
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
daemon@ATHENA.MIT.EDU (Chris Adams)
Mon Dec 14 14:12:59 2009
Date: Mon, 14 Dec 2009 13:11:53 -0600
From: Chris Adams <cmadams@hiwaay.net>
To: nanog@nanog.org
Mail-Followup-To: Chris Adams <cmadams@hiwaay.net>, nanog@nanog.org
In-Reply-To: <9B702073-059F-4653-A4CA-1DA963164C9A@delong.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Once upon a time, Owen DeLong <owen@delong.com> said:
> I would argue that a firewall that can be reconfigured by any applet a
> user
> clicks on (whether they know it or not) is actually less useful than no
> firewall because it creates the illusion in the users mind that there
> is a
> firewall protecting them.
Well, "any applet a user clicks on" should not have permission to talk
to random devices on the network (for example, Java applets can't do
that), so I don't think it quite as bad as you make it out to be. I
also don't really find the "computer is already compromised" case all
that interesting, as at that point, all bets are off (since with C&C
servers, compromised computers are already accessible to the outside
world without UPnP).
A firewall protects against unwanted inbound connections to things like
file/print sharing, DNS proxies, etc. You also don't get port scans and
such (even with a few open ports, the majority being "drop" slows down
scanners significantly). You can also configure it to prevent certain
outbound connections (e.g. connecting to random mail servers from
desktop PCs). I would hope that you can configure firewall rules to
override UPnP requests.
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
