

TCP and Heartbeats - polarix
http://www.250bpm.com/blog:22

======
api
"That admins are not fond of having non-TCP packets on the network. That
firewalls are often configured to discard anything other than TCP or UDP. That
NAT solutions sold by various vendors are not designed to work with SCTP. And
so on, and so on."

NAT and firewalls (between nodes) break the Internet. They're ugly hacks that
have outlived their usefulness. NAT is an ugly hack to fix IPv4's address
space limitations, which IPv6 fixes elegantly. Firewalls were an ugly hack to
fix the fact that most apps had poor-to-no authentication and poor-to-no
encryption in ~1994 when the Internet went mainstream.

Firewalls are of dubious security value today, since the most common threats
are:

* Malware delivered by web and email, which cross the firewall by default in most cases.

* Vulnerabilities in browsers and browser plugins, which are exposed to the web via connections almost always allowed through the firewall.

* Vulnerabilities in outward-facing web apps in the DMZ, which allow attackers to enter and then cross the firewall via a variety of techniques. (Or often the web app itself is the target, and it's dangling out there with little protection.)

* Phishing, spear phishing, targeted malware delivery via compromise of things like software updates and code repositories, and social engineering. It's generally easy to bait users into bringing a trojan horse in past the firewall.

Besides, protocols like SSH and HTTP are "everything protocols" that can
encapsulate anything, so if you allow ports 22, 80, and 443 you are
effectively allowing "all."

Inline firewalls (firewalls not residing on the node) are more trouble than
they're worth. They provide little real-world security, and they do so at
great cost to innovation and convenience. There are other solutions, such as
centrally managed local firewalls or just securitying your f'ing services,
that are lower cost and more effective.

In some cases I think firewalls make security worse by encouraging a "soft
underbelly" behind them.

I satirized this whole situation here:

[http://blog.zerotier.com/2013/04/zerotier-networks-
enabling-...](http://blog.zerotier.com/2013/04/zerotier-networks-enabling-ip-
on.html)

Most people didn't get the joke.

I really hope that IPv6 brings radical deperimeterization and de-NAT-
ification, but I think it's going to take a more open challenge to the status
quo to make that happen.

