Hi, Rick, Thanks so much for your feedback! Please find my responses in-line...
On 10/16/2015 09:19 AM, Rick Casarez wrote: > While I get amused reading such things are we sure we need lines like > this in the document? > > "...and attempts to end the bickering on the topic, which is, for the > most part, of little value in illuminating the discussion." > > A few parts of the introduction I think can be re-worded to express the > issues professionally without getting people defensive by making the > statements you are making. Rise above it. I'll re-check the text -- The Intro was going to be re-worked, anyway. > In Section 2: > > Firewall - I am wondering if a better definition can be made. From what > you wrote I cannot distinguish between a Firewall and an ACL. An ACL is a policy. A firewall is a device that enforces filtering policies. > No mention > of state tracking for instance etc. Ok, will try to add somethin in this respect. > Defense-in-depth - I think you should define this term in this section > since you go on to use it in following sections. Will do. > Section 3.3: > > The sentence: > > "By that line of reasoning, a firewall primarily protects > infrastructure, by preventing traffic that would attack it from it." > > I think flows better as: > > "By that line of reasoning, a firewall primarily protects > infrastructure, by preventing traffic that would attack it." > > or > > "A firewall primarily protects against infrastructure attacks." This seond option my work. (Your first option changes the meaning of the sentence). > Section 5.1: > > "The drawback of this approach is that the security goal of "block > traffic unless it is explicitly allowed" prevents useful new applications." > > I am not sure I understand this line. It blocks new applications from > immediately traversing the firewall. I know from experience though that > when a discussion is had with the NetSec team the application can be > added to the allow list. So not sure a "default deny" means new stuff > never gets allowed as the text insinuates. Well, that depends on where the firewall is being deployed, and if it is actively managed. > Section 6: > > There are temporary IPv4 addresses too. Not by definition I'd say. Or... would you mind elaborating a bit more in this respect? > As for application being tunneled over well-known ports that sounds like > a breakdown of communication between the Service Owners and NetSec. > Simple communication *should* lead to the creation of a profile for that > new application and its individual port. By doing what you describe it > sounds like a Service Owner trying to get out of doing due diligence > with NetSec or not knowing what port their application needs for access > (More common than you might think). Yes. Or, at times, a user/app trying to circumvent unmanaged firewalls. -- Ironically, at times these protocols are referred to as "firewall friendly". Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
