[170030] in North American Network Operators' Group
Re: misunderstanding scale (was: Ipv4 end, its fake.)
daemon@ATHENA.MIT.EDU (Mark Tinka)
Sun Mar 23 15:15:20 2014
From: Mark Tinka <mark.tinka@seacom.mu>
To: Cb B <cb.list6@gmail.com>
Date: Sun, 23 Mar 2014 21:13:14 +0200
In-Reply-To: <CAD6AjGTWeQ0C8gWuZcF_JOw+QH85nkSckEuy0H6UzjEZ7_7MfQ@mail.gmail.com>
Cc: John Levine <johnl@iecc.com>, "nanog@nanog.org" <nanog@nanog.org>
Reply-To: mark.tinka@seacom.mu
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--nextPart2657824.XO3BVsiN08
Content-Type: Text/Plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
On Sunday, March 23, 2014 09:05:54 PM Cb B wrote:
> i would say the more appropriate place for this policy is
> the printer, not a firewall. For example, maybe a=20
> printer should only be ULA or LLA by default.
>=20
> i would hate for people to think that a middle box is
> required, when the best place to provide security is in
> the host. Other layers are needed as required, but it
> is sad that we don't look to the host it self as a first
> step.
I would support adding security at the host-level,=20
especially because with a centralized firewall, internal=20
infrastructure is usually left wide open to internal staff,=20
with trust being the rope we all hang on to to keep things=20
running.
However, if pratical running of the Internet has taught us=20
anything, host-based firewalling (especially in purpose-
specific devices like printers, Tv sets, IP phones, IP=20
cameras, e.t.c.) is a long way away from what you can get=20
with a centralized firewall appliance.=20
Do I like it? No. I run a simple packet filter (IPfw) on my=20
MacBook - it does what I need. But we know Joe and Jane=20
won't want things they can't click; and even though they had=20
things they could click, they don't want to have to=20
understand all these geeky things about their computers.
Mark.
--nextPart2657824.XO3BVsiN08
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
iQIcBAABAgAGBQJTLzJLAAoJEGcZuYTeKm+G3f4P/iZOFO4s+FNmHpjQLPTpm37m
2xiZVrBd+UOYRA9IThQwNRPmlyKMqcjPRc0cnbo8LHOHYZ1CycSfWs+7W+lHJe/i
lEJO9UsRaqoJ99wzXL6r9/jyS3PqJJKb+bsXxAGM2OjPf/N6I2KEzwVgkbOSq12d
uJgpQzoFod7NvUBVLfj3iqs7BxG4ltXi2N3yQTTZhfs9VYqcTkzcukibfHPQvGmN
bq6Mea8qX7TD6sl78FfoZ4/wuQvJFZJKSufZKuY6k3ygV0j15tOJfF2vp7tcQZ3s
2mnwZ4clTBgHvC/nChGAIdYpfIwBORfeubF4Tk383WGarsH6ani71s3mSak7TSDf
//4Ay2kOkUSFEs2qqvQVstq0gf2cGVpKd5zjqJWogfiqyXKsBZYaX6vuM9WqS4sx
qlly9cPRwkg/Xhcg2AHAodk9jiPJB56Lb078DcMaPekl0E0yiMwf6iG3YT90Cn9B
v9OpGh+YM6nf09SxV3dP3w1J0At88gxNPIrmoJh0CpLZwGYKObKm6u0Im4A6s7PE
EOiHwCtYAP41fHmTLceVz3j0xoKdE+AQjV1HqHl60KkBv0ZUAZr7+KCUtfbwfUzC
puJOA5uYiFAShzHcOgXxTS0SGqhQs0U+BsZ/nawmOP00Zw/uBuKs4+dgAfXYtUJV
LfjsHHMzXrnNItLko18X
=YFS4
-----END PGP SIGNATURE-----
--nextPart2657824.XO3BVsiN08--
