> > Please check many discussions in IETF circles. Many deem firewalls as evil. > > Could be, I wasn't aware. The industry doesn't seem to do so. Maybe the draft > serves to address some concerns of the IETF community.
That might be useful - I can supply one such concern ;-). During TSVWG work on the port usage draft that became RFC 7605, what seemed like a simple question - Should the secure and insecure variants of a protocol use different (UDP/TCP/etc.) ports? - generated a long debate with a high heat/light ratio whose conclusion was effectively "it depends": However, there is no IETF consensus on when separate ports should be used for secure and insecure variants of the same service [RFC2595] [RFC2817] [RFC6335]. The overall preference is for use of a single port, as noted in Section 6 of this document and Section 7.2 of [RFC6335], but the appropriate approach depends on the specific characteristics of the service. (quoted from https://tools.ietf.org/html/rfc7605#section-7.4) Firewalls were a consideration in that debate, in that being able to block the insecure variant of a protocol at the boundary of a zone and allow the secure variant through in a network-operations-controlled fashion can be useful, but (as can be seen from the above text) firewall considerations were not an overriding factor that drove the outcome. This firewalls draft could be a useful place to discuss the interaction of operational security policy, firewall functionality and service characteristics - it would be helpful to shed a bit more light on the operational security characteristics in general (and firewall-related considerations in particular) of using separate ports for secure vs. insecure protocol variants. Thanks, --David > -----Original Message----- > From: OPSAWG [mailto:[email protected]] On Behalf Of Panos Kampanakis > (pkampana) > Sent: Thursday, September 17, 2015 11:23 PM > To: Fernando Gont; [email protected] > Cc: '[email protected]' > Subject: Re: [OPSAWG] [OPSEC] "On Firewalls in Internet Security" (Fwd: New > Version Notification for draft-gont-opsawg-firewalls-analysis-00.txt) > > Sorry I didn't see Melinda's response. Maybe because I am not subscribed in > opsawg. > > > Would you mind elaborating on the kind of features that you're referring to? > Vendors have multiple. Some are: > - File inspection, Application visibility and control > - TLS proxying > - IPS > - Malware protection > - DNS blackholing > - Botnet protection, similar to reputation filtering > - Web protection and filtering > - behavioral analysis, event correlation > - Vulnerability analysis > - Traffic control (policing etc) > - Threat protection (top talkers, DoS etc) > Firewalls and their managements platforms have so many functions nowadays > especially with so many vendors, that it is very tough to account for them in > one document I think. > > > Please check many discussions in IETF circles. Many deem firewalls as evil. > > Could be, I wasn't aware. The industry doesn't seem to do so. Maybe the draft > serves to address some concerns of the IETF community. > > Panos > > > -----Original Message----- > From: Fernando Gont [mailto:[email protected]] > Sent: Thursday, September 17, 2015 8:31 PM > To: Panos Kampanakis (pkampana); [email protected] > Cc: '[email protected]' > Subject: Re: [OPSEC] "On Firewalls in Internet Security" (Fwd: New Version > Notification for draft-gont-opsawg-firewalls-analysis-00.txt) > > Hi, Panos, > > Thanks so much for your feedback! Please find some responses in-line (more > coming...) > > On 09/17/2015 02:10 AM, Panos Kampanakis (pkampana) wrote: > > > > I am struggling to understand the gap this draft fills. > > Please see Melinda's comments... > > > > Finally, with all the "NGFW" products and features out there that > > section 4 could include many more kinds of fws. Same for section 5. > > Would you mind elaborating on the kind of features that you're referring to? > > > > In general, I think that the draft covers legacy firewalls mostly, not > > all the modern fw features that exist today and I am not sure if it > > tries to convince readers about their need (because I don't think in > > today's world firewalling functionality can be rejected as unnecessary > > by anyone) > > Please check many discussions in IETF circles. Many deem firewalls as evil. > > Thanks! > > Best regards, > -- > Fernando Gont > SI6 Networks > e-mail: [email protected] > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > > > _______________________________________________ > OPSAWG mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/opsawg _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
