IPv6 Firewall on CPEs - Default on or off

Jens Hoffmann jh at bofh.de
Mon Nov 26 20:27:50 CET 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

> But, please don't say  turn on a firewall without giving an
> explicit problem the firewall solves for said user.  Please cite
> CVE IDs  in your threat analysis / risk assessment.

Most insurance companies see it the other way around. If you can
prove, that the systems needs no protection, fine.
If you can't prove it, install that virusscanner/fw/snake oil device.

> I fear that the culture of "IT" is that we needed network firewall
> to protect broken hosts in 2003, and since then we have been
> carrying that lesson with us without revisiting the need.

No, the philosophy is still: accept as much as possible, but send only
strictly correct messages.

In this case: You are responsible for access, that is part of the
perimeter. You cannot expect that your customer is able to understand
the considerations by default.

If the customers tells you otherwise, fine. If not, expect him to be
just Joe "i buy a microwave, expecting I can dry my pets, if it is not
stated in the manual" customer.

And, your colleagues in support are probably happy about that kind of
decision also.

Kind regards,
   Jens
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlCzwrYACgkQFscsa5fGRGQLtgCeIN1O5X094Gic9x+1+k1qOeOB
X+IAoJ8ymjMiA1h9U88KCSH7f8P0tTfs
=c8v7
-----END PGP SIGNATURE-----



More information about the ipv6-ops mailing list