Fernando, Thank you very much for the reply.
The section 4 & 5 of the draft are really good. Linda -----Original Message----- From: Fernando Gont [mailto:[email protected]] Sent: Thursday, September 17, 2015 6:24 PM To: Linda Dunbar; Panos Kampanakis (pkampana); [email protected] Cc: '[email protected]' Subject: Re: [OPSEC] "On Firewalls in Internet Security" (Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-00.txt) Hi, Linda, On 09/17/2015 06:15 PM, Linda Dunbar wrote: > I am also not sure of the intent of this draft. Is the intent of the > draft to provide the guideline on configuring Firewall? Certainly not. Please see Melinda's comments. > Comment to the first paragraph in Section 10 Recommendation: > > Most deployed FWs are usually not "single purposed" as characterized > as "Zone-based" FW, or "Rule based" FW. A FW that has rules on zones > can also have rules to allow session originated from outside to some > applications. We didn't mean that firewalls are single purposed. Certinly, a given device can implement different kinds of firewalls. That doesn't make our analysis on the kinds of firewalls incorrect, though. > Comment to the second paragraph in Section 10 Recommendation: > In order to achieve the recommendation described by the second > paragraph of the Section 10 Recommendations, the router has to install > all the host routes for "Bob, Alice, etc". It doesn't scale. I guess that depends on a number of factors... among others, on the granularity that you talk about. > Comment to "FW SHOULD NOT attempt to perform any kind of DPI": > Many modern FWs do perform DPIs. Are you saying they should be strip > off the network? They all had legitimate reasons to be deployed, and > they are running fine. You seem to have cut off part of the sentence. It says: firewalls of any type SHOULD NOT attempt to perform the kind of deep packet inspection and surgery that is common with Network Address Translators [RFC2993] And what we mean s not that FWs should not perform the kind of surgery that NAT devices perform (e.g., modifying the application data stream). Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
