Re: [homenet] Firewall hole punching [was: About Ted's naming architecture...]

[Michael Thomas <mike@mtcc.com>]

On 11/22/2016 06:54 PM, Lorenzo Colitti wrote:
> On Tue, Nov 22, 2016 at 5:34 PM, james woodyatt <jhw@google.com 
> <mailto:jhw@google.com>> wrote:
>
>>     The recent IoT DDoS publicity is a good example; the devices that
>>     are the Mirai botnet are devices that had/have open ports facing
>>     the internet.
>
>     Not quite, c.f.
>     <https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/
>     <https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/>>
>
>     The vast majority of those devices were protected from receiving
>     inbound flows over public Internet routes by the stateful filters
>     of IPv4/NAT gateways.
>
>
> ... and this knowledge is not new. The conficker paper 
> <https://seclab.cs.ucsb.edu/media/uploads/papers/torpig.pdf> from 2009 
> found that "144,236 (78.9%) of the infected machines were behind a 
> NAT, VPN, proxy, or firewall". We should know this by now :stateful 
> firewalls do not protect against malware.
>
>     It’s not about reducing attack surfaces. It’s about making systems
>     that are safe for deployment in close proximity to humans.
>
>
> +1

I'm glad I'm not the only one who is somewhat dubious of the importance 
of the All Mighty Maginot^H^H^H^H^H^HFirewall in this day and age.
Trivial mobility (eg, phones, etc), for one, really launches big old 
rocks at a firewall's assumption of We and They.

Is there some set of standards/bcp's that describe how, say, a light 
bulb controller can create a completely private network for the light bulbs
that is specifically not routed to the Internet, where that the light 
bulb controller acts as an ALG to those bulbs? That seems more of what I 
want than where
each individual light bulb has to hope that some firewall protects it 
from the mean old internets.

Mike