I think this is important work, but i think this draft is too broad to be effective in its current form. I think it would be a great value to adopt the common enterprise network view and scope of a "stateful firewall" that most people think of... from the likes of Checkpoint, Palo Alto, ...
On Fri, Oct 16, 2015 at 12:53 PM, Fernando Gont <[email protected]> wrote: > Hi, Rick, > > Thanks so much for your feedback! Please find my responses in-line... > > On 10/16/2015 09:19 AM, Rick Casarez wrote: > > While I get amused reading such things are we sure we need lines like > > this in the document? > > > > "...and attempts to end the bickering on the topic, which is, for the > > most part, of little value in illuminating the discussion." > > > > A few parts of the introduction I think can be re-worded to express the > > issues professionally without getting people defensive by making the > > statements you are making. Rise above it. > > I'll re-check the text -- The Intro was going to be re-worked, anyway. > > > > > In Section 2: > > > > Firewall - I am wondering if a better definition can be made. From what > > you wrote I cannot distinguish between a Firewall and an ACL. > > An ACL is a policy. A firewall is a device that enforces filtering > policies. > > This defintion makes every on path device a firewall. This is not a good places to go. > > No mention > > of state tracking for instance etc. > > Ok, will try to add somethin in this respect. > > > This is the core of what 99% of the world thinks a firewall is. > > > Defense-in-depth - I think you should define this term in this section > > since you go on to use it in following sections. > > Will do. > > > > > Section 3.3: > > > > The sentence: > > > > "By that line of reasoning, a firewall primarily protects > > infrastructure, by preventing traffic that would attack it from it." > > > > I think flows better as: > > > > "By that line of reasoning, a firewall primarily protects > > infrastructure, by preventing traffic that would attack it." > > > > or > > > > "A firewall primarily protects against infrastructure attacks." > > This seond option my work. (Your first option changes the meaning of the > sentence). > > > eh...what is infrastructure... slippery slope here. > > Section 5.1: > > > > "The drawback of this approach is that the security goal of "block > > traffic unless it is explicitly allowed" prevents useful new > applications." > > > > I am not sure I understand this line. It blocks new applications from > > immediately traversing the firewall. I know from experience though that > > when a discussion is had with the NetSec team the application can be > > added to the allow list. So not sure a "default deny" means new stuff > > never gets allowed as the text insinuates. > > Well, that depends on where the firewall is being deployed, and if it is > actively managed. > > Actively managed vs not actively are worlds apart. Do not lump them together. Same with stateful vs stateless > > > > Section 6: > > > > There are temporary IPv4 addresses too. > > Not by definition I'd say. Or... would you mind elaborating a bit more > in this respect? > > > > > As for application being tunneled over well-known ports that sounds like > > a breakdown of communication between the Service Owners and NetSec. > > Simple communication *should* lead to the creation of a profile for that > > new application and its individual port. By doing what you describe it > > sounds like a Service Owner trying to get out of doing due diligence > > with NetSec or not knowing what port their application needs for access > > (More common than you might think). > > Yes. Or, at times, a user/app trying to circumvent unmanaged firewalls. > -- Ironically, at times these protocols are referred to as "firewall > friendly". > > Yes... own the PC via Phishing or Flash, then use PCP from the PC to open all the rules you want! CB > Thanks! > > Best regards, > -- > Fernando Gont > SI6 Networks > e-mail: [email protected] > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > > > _______________________________________________ > v6ops mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/v6ops >
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
