1 comment

[ 3.7 ms ] story [ 8.5 ms ] thread
"That admins are not fond of having non-TCP packets on the network. That firewalls are often configured to discard anything other than TCP or UDP. That NAT solutions sold by various vendors are not designed to work with SCTP. And so on, and so on."

NAT and firewalls (between nodes) break the Internet. They're ugly hacks that have outlived their usefulness. NAT is an ugly hack to fix IPv4's address space limitations, which IPv6 fixes elegantly. Firewalls were an ugly hack to fix the fact that most apps had poor-to-no authentication and poor-to-no encryption in ~1994 when the Internet went mainstream.

Firewalls are of dubious security value today, since the most common threats are:

* Malware delivered by web and email, which cross the firewall by default in most cases.

* Vulnerabilities in browsers and browser plugins, which are exposed to the web via connections almost always allowed through the firewall.

* Vulnerabilities in outward-facing web apps in the DMZ, which allow attackers to enter and then cross the firewall via a variety of techniques. (Or often the web app itself is the target, and it's dangling out there with little protection.)

* Phishing, spear phishing, targeted malware delivery via compromise of things like software updates and code repositories, and social engineering. It's generally easy to bait users into bringing a trojan horse in past the firewall.

Besides, protocols like SSH and HTTP are "everything protocols" that can encapsulate anything, so if you allow ports 22, 80, and 443 you are effectively allowing "all."

Inline firewalls (firewalls not residing on the node) are more trouble than they're worth. They provide little real-world security, and they do so at great cost to innovation and convenience. There are other solutions, such as centrally managed local firewalls or just securitying your f'ing services, that are lower cost and more effective.

In some cases I think firewalls make security worse by encouraging a "soft underbelly" behind them.

I satirized this whole situation here:

http://blog.zerotier.com/2013/04/zerotier-networks-enabling-...

Most people didn't get the joke.

I really hope that IPv6 brings radical deperimeterization and de-NAT-ification, but I think it's going to take a more open challenge to the status quo to make that happen.