-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Wed, Sep 25, 2013 at 08:42:38PM +0200, Björn Persson wrote:
Eric H. Christensen wrote:
>Authentication is based on WEP/WPA/WPA2 passphrase, possibly a MAC
>address (BSSID), and 802.1 authentication.
There were no protests and no warnings. Obviously nothing tries to
ensure that only authenticated networks are put in a trusted zone.
Just the user. If the user doesn't trust the network then the user probably
shouldn't mark it as "trusted".
>This is wireless, however. Hardline connections will always
>be a bit more secure and the auto zone there will make more sense.
Given that many wireless home networks use WPA2 these days, but few if
any wired home networks use 802.1X, it looks like with FirewallD wired
connections may actually be *less* secure than wireless connections.
Not really.
... but any Ethernets they connect to will be
treated as the home network, which many users probably don't realize.
I've not tested this completely so I'm not willing to make any assumptions.
One assumption that I will make is that the firewall is secondary to the protections
offered by the software itself. What are you trying to protect yourself from, exactly? I
don't think anyone is going to have a completely wide-open firewall at home and hope
for protection when away. If I were to make assumptions it would be that perhaps the user
would want SSH connectivity at home but not while away. So if port 22 is open on an
outside network there is still the built-in security that comes from SSH that protects the
system.
Before the implementation of firewalld iptables would have to be manually changed to
secure this port. If you didn't do so you were just as at risk as you would be if
NetworkManager didn't put the correct zone on the network connection.
This difference may be temporary though. Sooner or later ISPs will
be
forced to start providing IPv6 to customers, and then NAT will no longer
function as a firewall.
NAT was never really supposed to be a security feature.
It remains to be seen how home networks will
evolve then.
The evolution has already happened. Notice firewalls on all the end points?
... blocking all incoming IPv6 traffic
IPv6 really isn't the problem.
link-layer encryption like WPA2 won't protect anything anymore
What do you think WPA2 protects against? It has never protected against anything but
decoding of intercepted packets across the wireless link. We use it for authentication
but it isn't true authentication (WPA2 Enterprise could be considered authentication)
in the sense of the word.
...and then
protocols designed for an isolated friendly network will be equally
insecure on both wired and wireless networks.
Then you probably shouldn't be using protocols designed for an isolated friendly
network. If you do then you probably deserve what happens to you as there is rarely such
a thing as an "isolated friendly network".
Sent from my computer.
Sent from someone else's computer.
- -- Eric
- --------------------------------------------------
Eric "Sparks" Christensen
Fedora Project
sparks(a)fedoraproject.org - sparks(a)redhat.com
097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQGcBAEBCgAGBQJSRD7LAAoJEB/kgVGp2CYvj80L/2hkEzDIahw+PI8hWWu1rjfO
qjjqDzQxIGP2BCK5/f16BzUr/7KrcrtTLcIB1/oEqsFsgwUG9wD4Iu1Pu4w6jXN0
4NVpbYdKbt8WafKzccWMuUxAanlDnwRaOa/rMd/tXvp96TahCe2jY7nsE0IVbdt1
qQwhGrZnLKIcRL7gy2F69o4esQcyfU62bxMg7KruIVaY0RXMiIIHF1lM8iDATLyy
yPhTZG67WRAEy7CjfhwPb6BkB653WdSS/L4JWCLk5YDcE18ylR+h3dRadrRe4O2a
nniMlSrq2aIYu21d5tZmJm0/w1mvAY6+TtiFy9Xsolz4FXYQJym/NaRmdhHrbrAP
XlVYkiuXrUsArMyZOT6S/RULMq+l1DjFkA1RoO1vHxQUBNOM4l3Oh4dT1N286aMP
ukzU7vZlvvXeyhhRaGoPeEuv283yzGXqwKoAaSDBk0OGb3yzYOtC+hAaRKedIlVY
8uh0M1/aqo0KV0Zyr2+oOSfdrgZrd7XR6/utHNpUWA==
=NBTm
-----END PGP SIGNATURE-----