Re: Consumer Grade - IPV6 Enabled Router Firewalls.

From: Owen DeLong (no email)
Date: Tue Dec 15 2009 - 13:56:08 EST

  • Next message: Tony Finch: "Re: DNS question, null MX records"

    On Dec 15, 2009, at 4:49 AM, Joakim Aronius wrote:

    > * Steven Bellovin () wrote:
    >>
    >> On Dec 14, 2009, at 11:47 PM, Joel Jaeggli wrote:
    >>> Owen DeLong wrote:
    >>> Stable outgoing connections for p2p apps, messaging, gaming
    >>> platforms
    >>> and foo website with java script based rpc mechanisms have similar
    >>> properties. I don't sleep soundly at night becasuse the $49 buffalo
    >>> router I bought off an endcap at frys uses iptables, I sleep soundly
    >>> because I don't care.
    >>>
    >> Precisely. And if you want to get picky, remember that
    >> "availability" is part
    >> of the standard definition of security. A firewall that doesn't
    >> let me play
    >> Chocolate-Sucking Zombie Monsters is an attack on the availability
    >> of that
    >> gmae, albeit from the purest of motives.
    >>
    >> No, I'm not saying that this is good. I am saying that in the real
    >> world, it
    >> *will* happen.
    >
    > So what you are saying is that ease of use and service availability
    > is priority one. Then what exactly are the responsibilities of the
    > ISP and CPE manufacturer when it comes to security? CPEs with WiFi
    > usually comes with the advice to change password etc. Is it ok to
    > build an infrastructure relying on UPnP, write a disclaimer, and let
    > the end user handle eventual problems? (I assume it is...)
    >
    > /jkm

    Personally, I think that CPE should come up relatively braindead
    except on the interior wired ethernet
    interfaces and require creating an SSID and suggesting creating a
    password (regardless of whether
    TKIM, WEP, WPA, etc, at least something) before enabling any
    wireless. It should require the user
    to create their own administrative password before being able to
    enable any other features on the box.

    If CPE manufacturers did this, it would remove a great many
    vulnerabilities in the world without making
    it particularly harder for the average end-user.

    Owen


  • Next message: Tony Finch: "Re: DNS question, null MX records"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD