Reflections on Host Firewalls
RFC 7288
Internet Architecture Board (IAB) D. Thaler
Request for Comments: 7288 Microsoft
Category: Informational June 2014
ISSN: 2070-1721
Reflections on Host Firewalls
Abstract
In today's Internet, the need for firewalls is generally accepted in
the industry, and indeed firewalls are widely deployed in practice.
Unlike traditional firewalls that protect network links, host
firewalls run in end-user systems. Often the result is that software
may be running and potentially consuming resources, but then
communication is blocked by a host firewall. It's taken for granted
that this end state is either desirable or the best that can be
achieved in practice, rather than (for example) an end state where
the relevant software is not running or is running in a way that
would not result in unwanted communication. In this document, we
explore the issues behind these assumptions and provide suggestions
on improving the architecture going forward.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Architecture Board (IAB)
and represents information that the IAB has deemed valuable to
provide for permanent record. It represents the consensus of the
Internet Architecture Board (IAB). Documents approved for
publication by the IAB are not a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7288.
Thaler Informational [Page 1]
RFC 7288 Host Firewalls June 2014
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . 5
3. Category 1: Attack Surface Reduction . . . . . . . . . . . . 6
3.1. Discussion of Approaches . . . . . . . . . . . . . . . . 7
3.1.1. Fix the Software . . . . . . . . . . . . . . . . . . 7
3.1.2. Don't Use the Software . . . . . . . . . . . . . . . 8
3.1.3. Run the Software behind a Host Firewall . . . . . . . 8
4. Category 2: Security Policy . . . . . . . . . . . . . . . . . 9
4.1. Discussion of Approaches . . . . . . . . . . . . . . . . 9
4.1.1. Security Policies in Applications . . . . . . . . . . 9
4.1.2. Security Policies in Host Firewalls . . . . . . . . . 9
4.1.3. Security Policies in a Service . . . . . . . . . . . 10
5. Stealth Mode . . . . . . . . . . . . . . . . . . . . . . . . 11
6. Security Considerations . . . . . . . . . . . . . . . . . . . 11
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11
8. IAB Members at the Time of Approval . . . . . . . . . . . . . 12
9. Informative References . . . . . . . . . . . . . . . . . . . 12
Thaler Informational [Page 2]
RFC 7288 Host Firewalls June 2014
1. Introduction
[BLOCK-FILTER] discusses the issue of blocking or filtering abusive
or objectionable content and communications, and the effects on the
overall Internet architecture. This document complements that
discussion by focusing on the architectural effects of host firewalls
on hosts and applications.
"Behavior of and Requirements for Internet Firewalls" [RFC2979]
provides an introduction to firewalls and the requirement for
transparency in particular, stating:
The introduction of a firewall and any associated tunneling or
access negotiation facilities MUST NOT cause unintended failures
of legitimate and standards-compliant usage that would work were
the firewall not present.
Many firewalls today do not follow that guidance, such as by blocking
traffic containing IP options or IPv6 extension headers (see
Show full document text