Reflections on Host Firewalls
RFC 7288
Document | Type |
RFC - Informational
(June 2014; No errata)
Was draft-iab-host-firewalls (iab)
|
|
---|---|---|---|
Author | Dave Thaler | ||
Last updated | 2014-06-24 | ||
Replaces | draft-thaler-iab-host-firewalls | ||
Stream | IAB | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | IAB state | Published RFC | |
Consensus Boilerplate | Yes | ||
RFC Editor Note | (None) |
Internet Architecture Board (IAB) D. Thaler Request for Comments: 7288 Microsoft Category: Informational June 2014 ISSN: 2070-1721 Reflections on Host Firewalls Abstract In today's Internet, the need for firewalls is generally accepted in the industry, and indeed firewalls are widely deployed in practice. Unlike traditional firewalls that protect network links, host firewalls run in end-user systems. Often the result is that software may be running and potentially consuming resources, but then communication is blocked by a host firewall. It's taken for granted that this end state is either desirable or the best that can be achieved in practice, rather than (for example) an end state where the relevant software is not running or is running in a way that would not result in unwanted communication. In this document, we explore the issues behind these assumptions and provide suggestions on improving the architecture going forward. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Architecture Board (IAB) and represents information that the IAB has deemed valuable to provide for permanent record. It represents the consensus of the Internet Architecture Board (IAB). Documents approved for publication by the IAB are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7288. Thaler Informational [Page 1] RFC 7288 Host Firewalls June 2014 Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 2. Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . 5 3. Category 1: Attack Surface Reduction . . . . . . . . . . . . 6 3.1. Discussion of Approaches . . . . . . . . . . . . . . . . 7 3.1.1. Fix the Software . . . . . . . . . . . . . . . . . . 7 3.1.2. Don't Use the Software . . . . . . . . . . . . . . . 8 3.1.3. Run the Software behind a Host Firewall . . . . . . . 8 4. Category 2: Security Policy . . . . . . . . . . . . . . . . . 9 4.1. Discussion of Approaches . . . . . . . . . . . . . . . . 9 4.1.1. Security Policies in Applications . . . . . . . . . . 9 4.1.2. Security Policies in Host Firewalls . . . . . . . . . 9 4.1.3. Security Policies in a Service . . . . . . . . . . . 10 5. Stealth Mode . . . . . . . . . . . . . . . . . . . . . . . . 11 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 8. IAB Members at the Time of Approval . . . . . . . . . . . . . 12 9. Informative References . . . . . . . . . . . . . . . . . . . 12 Thaler Informational [Page 2] RFC 7288 Host Firewalls June 2014 1. Introduction [BLOCK-FILTER] discusses the issue of blocking or filtering abusive or objectionable content and communications, and the effects on the overall Internet architecture. This document complements that discussion by focusing on the architectural effects of host firewalls on hosts and applications. "Behavior of and Requirements for Internet Firewalls" [RFC2979] provides an introduction to firewalls and the requirement for transparency in particular, stating: The introduction of a firewall and any associated tunneling or access negotiation facilities MUST NOT cause unintended failures of legitimate and standards-compliant usage that would work were the firewall not present. Many firewalls today do not follow that guidance, such as by blocking traffic containing IP options or IPv6 extension headers (see [RFC7045] for more discussion). In Section 2.1 of "Reflections on Internet Transparency" [RFC4924], the IAB provided additional thoughts on firewalls and their impact on the Internet architecture, including issues around disclosureShow full document text