While I get amused reading such things are we sure we need lines like this in the document?
"...and attempts to end the bickering on the topic, which is, for the most part, of little value in illuminating the discussion." A few parts of the introduction I think can be re-worded to express the issues professionally without getting people defensive by making the statements you are making. Rise above it. In Section 2: Firewall - I am wondering if a better definition can be made. From what you wrote I cannot distinguish between a Firewall and an ACL. No mention of state tracking for instance etc. Defense-in-depth - I think you should define this term in this section since you go on to use it in following sections. It helps by also showing the differences between it and perimeter. Section 3.3: The sentence: "By that line of reasoning, a firewall primarily protects infrastructure, by preventing traffic that would attack it from it." I think flows better as: "By that line of reasoning, a firewall primarily protects infrastructure, by preventing traffic that would attack it." or "A firewall primarily protects against infrastructure attacks." Section 5.1: "The drawback of this approach is that the security goal of "block traffic unless it is explicitly allowed" prevents useful new applications." I am not sure I understand this line. It blocks new applications from immediately traversing the firewall. I know from experience though that when a discussion is had with the NetSec team the application can be added to the allow list. So not sure a "default deny" means new stuff never gets allowed as the text insinuates. Section 6: There are temporary IPv4 addresses too. Usually the prefix is allowed with a set access or security profile. The only problems I am aware of is if you mix hosts with differing access/security profiles into one subnet. This is fixed by designating subnets for specific profiles. IPv6 is not any different and can work the same way. As for application being tunneled over well-known ports that sounds like a breakdown of communication between the Service Owners and NetSec. Simple communication *should* lead to the creation of a profile for that new application and its individual port. By doing what you describe it sounds like a Service Owner trying to get out of doing due diligence with NetSec or not knowing what port their application needs for access (More common than you might think). ------------------- Cheers, Rick Experiences not things. On Tue, Oct 13, 2015 at 9:52 AM, Fernando Gont <[email protected]> wrote: > FYI. > > This rev hopefully addresses some/most/all of the comments received so > far (mostly by Eric Vyncke and James Woodyatt). > > More comments/feedback will be welcome. > > Thanks, > Fernando > > > > > -------- Forwarded Message -------- > Subject: New Version Notification for > draft-gont-opsawg-firewalls-analysis-01.txt > Date: Tue, 13 Oct 2015 06:45:30 -0700 > From: [email protected] > To: Fred Baker <[email protected]>, Fernando Gont <[email protected]> > > > A new version of I-D, draft-gont-opsawg-firewalls-analysis-01.txt > has been successfully submitted by Fernando Gont and posted to the > IETF repository. > > Name: draft-gont-opsawg-firewalls-analysis > Revision: 01 > Title: On Firewalls in Network Security > Document date: 2015-10-13 > Group: Individual Submission > Pages: 17 > URL: > > https://www.ietf.org/internet-drafts/draft-gont-opsawg-firewalls-analysis-01.txt > Status: > https://datatracker.ietf.org/doc/draft-gont-opsawg-firewalls-analysis/ > Htmlized: > https://tools.ietf.org/html/draft-gont-opsawg-firewalls-analysis-01 > Diff: > https://www.ietf.org/rfcdiff?url2=draft-gont-opsawg-firewalls-analysis-01 > > Abstract: > This document analyzes the role of firewalls in network security, and > suggests a line of reasoning about their usage. It analyzes common > kinds of firewalls and the claims made for them. > > > > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > > > _______________________________________________ > v6ops mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/v6ops >
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
