I am also not sure of the intent of this draft. Is the intent of the draft to
provide the guideline on configuring Firewall?
Comment to the first paragraph in Section 10 Recommendation:
Most deployed FWs are usually not "single purposed" as characterized as
"Zone-based" FW, or "Rule based" FW. A FW that has rules on zones can also
have rules to allow session originated from outside to some applications.
Comment to the second paragraph in Section 10 Recommendation:
In order to achieve the recommendation described by the second paragraph
of the Section 10 Recommendations, the router has to install all the host
routes for "Bob, Alice, etc". It doesn't scale.
Role-based firewalls can be implemented using routing technology. For
example, if Alice should not be able to send a message to Bob, Alice's routing
system might not have a route to Bob, or Bob's routing system might not have a
route to Alice.
Comment to "FW SHOULD NOT attempt to perform any kind of DPI":
Many modern FWs do perform DPIs. Are you saying they should be strip off
the network? They all had legitimate reasons to be deployed, and they are
running fine.
Linda Dunbar
-----Original Message-----
From: OPSAWG [mailto:[email protected]] On Behalf Of Panos Kampanakis
(pkampana)
Sent: Thursday, September 17, 2015 12:10 AM
To: Fernando Gont; [email protected]
Cc: '[email protected]'
Subject: Re: [OPSAWG] [OPSEC] "On Firewalls in Internet Security" (Fwd: New
Version Notification for draft-gont-opsawg-firewalls-analysis-00.txt)
Hi Fernando,
I am struggling to understand the gap this draft fills.
We read "In many cases, as a result, deployments have been underwhelming in
both quantity and quality, and the Internet is noted for its problems with
security.", but I wouldn't say firewall deployments are underwhelming in
quality and quantity. I believe FW are very ubiquitous in today's networks.
Were you referring to something else?
Also I am not sure about what the "bickering on the topic" refers to.
Finally, with all the "NGFW" products and features out there that section 4
could include many more kinds of fws. Same for section 5.
In general, I think that the draft covers legacy firewalls mostly, not all the
modern fw features that exist today and I am not sure if it tries to convince
readers about their need (because I don't think in today's world firewalling
functionality can be rejected as unnecessary by anyone)
Panos
-----Original Message-----
From: OPSEC [mailto:[email protected]] On Behalf Of Fernando Gont
Sent: Monday, September 14, 2015 9:05 PM
To: [email protected]<mailto:[email protected]>
Cc: Internet Area; '[email protected]'; TSV Area; tsvwg; IPv6 Operations
Subject: [OPSEC] "On Firewalls in Internet Security" (Fwd: New Version
Notification for draft-gont-opsawg-firewalls-analysis-00.txt)
Folks,
We have published an I-D entitled "On Firewalls in Internet Security".
The I-D is available at:
<https://www.ietf.org/internet-drafts/draft-gont-opsawg-firewalls-analysis-00.txt>.
Our I-D covers a broad range of topics (ranging from operations to internet and
transport area topics) -- hence the crosspost of this announcement to multiple
mailing-lists.
While we (co-authors) are subscribed to most of the lists to which this
announcement is being crossposted, we expect (for the sake of unifying the
discussion in a single place) the discussion to happen in the
[email protected]<mailto:[email protected]> mailing-list.
Your feedback will be very welcome.
Thanks!
Best regards,
Fernando
-------- Forwarded Message --------
Subject: New Version Notification for
draft-gont-opsawg-firewalls-analysis-00.txt
Date: Mon, 14 Sep 2015 17:49:41 -0700
From: [email protected]<mailto:[email protected]>
To: Paul E. Hoffman <[email protected]<mailto:[email protected]>>,
Fernando Gont <[email protected]<mailto:[email protected]>>, Fernando
Gont <[email protected]<mailto:[email protected]>>, Fred Baker
<[email protected]<mailto:[email protected]>>, Fred Baker
<[email protected]<mailto:[email protected]>>, Paul Hoffman
<[email protected]<mailto:[email protected]>>
A new version of I-D, draft-gont-opsawg-firewalls-analysis-00.txt
has been successfully submitted by Fernando Gont and posted to the IETF
repository.
Name: draft-gont-opsawg-firewalls-analysis
Revision: 00
Title: On Firewalls in Internet Security
Document date: 2015-09-15
Group: Individual Submission
Pages: 17
URL:
https://www.ietf.org/internet-drafts/draft-gont-opsawg-firewalls-analysis-00.txt
Status:
https://datatracker.ietf.org/doc/draft-gont-opsawg-firewalls-analysis/
Htmlized:
https://tools.ietf.org/html/draft-gont-opsawg-firewalls-analysis-00
Abstract:
This document analyzes the role of firewalls in Internet security,
and suggests a line of reasoning about their usage. It analyzes
common kinds of firewalls and the claims made for them.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
OPSEC mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/opsec
_______________________________________________
OPSAWG mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/opsawg
_______________________________________________
OPSAWG mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsawg
