Reflections on Host Firewalls
RFC 7288

Document Type RFC - Informational (June 2014; No errata)
Last updated 2014-06-24
Replaces draft-thaler-iab-host-firewalls
Stream IAB
Formats plain text pdf html bibtex
Stream IAB state Published RFC
Consensus Boilerplate Yes
RFC Editor Note (None)
Internet Architecture Board (IAB)                              D. Thaler
Request for Comments: 7288                                     Microsoft
Category: Informational                                        June 2014
ISSN: 2070-1721

                     Reflections on Host Firewalls

Abstract

   In today's Internet, the need for firewalls is generally accepted in
   the industry, and indeed firewalls are widely deployed in practice.
   Unlike traditional firewalls that protect network links, host
   firewalls run in end-user systems.  Often the result is that software
   may be running and potentially consuming resources, but then
   communication is blocked by a host firewall.  It's taken for granted
   that this end state is either desirable or the best that can be
   achieved in practice, rather than (for example) an end state where
   the relevant software is not running or is running in a way that
   would not result in unwanted communication.  In this document, we
   explore the issues behind these assumptions and provide suggestions
   on improving the architecture going forward.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Architecture Board (IAB)
   and represents information that the IAB has deemed valuable to
   provide for permanent record.  It represents the consensus of the
   Internet Architecture Board (IAB).  Documents approved for
   publication by the IAB are not a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7288.

Thaler                        Informational                     [Page 1]
RFC 7288                     Host Firewalls                    June 2014

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   4
   2.  Firewall Rules  . . . . . . . . . . . . . . . . . . . . . . .   5
   3.  Category 1: Attack Surface Reduction  . . . . . . . . . . . .   6
     3.1.  Discussion of Approaches  . . . . . . . . . . . . . . . .   7
       3.1.1.  Fix the Software  . . . . . . . . . . . . . . . . . .   7
       3.1.2.  Don't Use the Software  . . . . . . . . . . . . . . .   8
       3.1.3.  Run the Software behind a Host Firewall . . . . . . .   8
   4.  Category 2: Security Policy . . . . . . . . . . . . . . . . .   9
     4.1.  Discussion of Approaches  . . . . . . . . . . . . . . . .   9
       4.1.1.  Security Policies in Applications . . . . . . . . . .   9
       4.1.2.  Security Policies in Host Firewalls . . . . . . . . .   9
       4.1.3.  Security Policies in a Service  . . . . . . . . . . .  10
   5.  Stealth Mode  . . . . . . . . . . . . . . . . . . . . . . . .  11
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  11
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  11
   8.  IAB Members at the Time of Approval . . . . . . . . . . . . .  12
   9.  Informative References  . . . . . . . . . . . . . . . . . . .  12

Thaler                        Informational                     [Page 2]
RFC 7288                     Host Firewalls                    June 2014

1.  Introduction

   [BLOCK-FILTER] discusses the issue of blocking or filtering abusive
   or objectionable content and communications, and the effects on the
   overall Internet architecture.  This document complements that
   discussion by focusing on the architectural effects of host firewalls
   on hosts and applications.

   "Behavior of and Requirements for Internet Firewalls" [RFC2979]
   provides an introduction to firewalls and the requirement for
   transparency in particular, stating:

      The introduction of a firewall and any associated tunneling or
      access negotiation facilities MUST NOT cause unintended failures
      of legitimate and standards-compliant usage that would work were
      the firewall not present.

   Many firewalls today do not follow that guidance, such as by blocking
   traffic containing IP options or IPv6 extension headers (see
   [RFC7045] for more discussion).

   In Section 2.1 of "Reflections on Internet Transparency" [RFC4924],
   the IAB provided additional thoughts on firewalls and their impact on
   the Internet architecture, including issues around disclosure
Show full document text