Reflections On Host Firewalls
draft-iab-host-firewalls-02

The information below is for an old version of the document
Document Type Active Internet-Draft
Last updated 2014-03-02
Replaces draft-thaler-iab-host-firewalls
Stream IAB
Intended RFC status (None)
Formats plain text pdf html bibtex
Additional URLs
Stream IAB state IAB Review
Consensus Boilerplate Unknown
RFC Editor Note (None)
Network Working Group                                          D. Thaler
Internet-Draft                                                 Microsoft
Intended status: Informational                             March 3, 2014
Expires: September 4, 2014

                     Reflections On Host Firewalls
                    draft-iab-host-firewalls-02.txt

Abstract

   In today's Internet, the need for firewalls is generally accepted in
   the industry and indeed firewalls are widely deployed in practice.
   Often the result is that software may be running and potentially
   consuming resources, but then communication is blocked by a firewall.
   It's taken for granted that this end state is either desirable or the
   best that can be achieved in practice, rather than (for example) an
   end state where the relevant software is not running or is running in
   a way that would not result in unwanted communication.  In this
   document, we explore the issues behind these assumptions and provide
   suggestions on improving the architecture going forward.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 4, 2014.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents

Thaler                  Expires September 4, 2014               [Page 1]
Internet-Draft               Host Firewalls                   March 2014

   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   4
   2.  Firewall Rules  . . . . . . . . . . . . . . . . . . . . . . .   5
   3.  Category 1: Attack Surface Reduction  . . . . . . . . . . . .   6
     3.1.  Stealth Mode  . . . . . . . . . . . . . . . . . . . . . .   7
     3.2.  Discussion of Approaches  . . . . . . . . . . . . . . . .   7
       3.2.1.  Fix the Software  . . . . . . . . . . . . . . . . . .   7
       3.2.2.  Don't Use the Software  . . . . . . . . . . . . . . .   8
       3.2.3.  Run the Software Behind a Firewall  . . . . . . . . .   8
   4.  Category 2: Security Policy . . . . . . . . . . . . . . . . .   9
     4.1.  Discussion of Approaches  . . . . . . . . . . . . . . . .   9
       4.1.1.  Security Policies in Applications . . . . . . . . . .   9
       4.1.2.  Security Policies in Firewalls  . . . . . . . . . . .  10
       4.1.3.  Security Policies in a Service  . . . . . . . . . . .  11
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  11
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  12
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  12
   8.  IAB Members at the Time of This Writing . . . . . . . . . . .  12
   9.  Informative References  . . . . . . . . . . . . . . . . . . .  12
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  14

1.  Introduction

   [I-D.iab-filtering-considerations] discusses the issue of blocking or
   filtering abusive or objectionable content and communications, and
   the effects on the overall Internet architecture.  This document
   complements that discussion by focusing on the architectural effects
   of host firewalls on hosts and applications.

   "Behavior of and Requirements for Internet Firewalls" [RFC2979]
   provides an introduction to firewalls and the requirement for
   transparency in particular, stating:

      The introduction of a firewall and any associated tunneling or
      access negotiation facilities MUST NOT cause unintended failures
      of legitimate and standards-compliant usage that would work were
Show full document text