Just trying to help. Answers in line. ------------------- Cheers, Rick
Experiences not things. On Fri, Oct 16, 2015 at 3:53 PM, Fernando Gont <[email protected]> wrote: > Hi, Rick, > > Thanks so much for your feedback! Please find my responses in-line... > > On 10/16/2015 09:19 AM, Rick Casarez wrote: > > While I get amused reading such things are we sure we need lines like > > this in the document? > > > > "...and attempts to end the bickering on the topic, which is, for the > > most part, of little value in illuminating the discussion." > > > > A few parts of the introduction I think can be re-worded to express the > > issues professionally without getting people defensive by making the > > statements you are making. Rise above it. > > I'll re-check the text -- The Intro was going to be re-worked, anyway. > > [Rick] Sounds good. Thanks. > > > > In Section 2: > > > > Firewall - I am wondering if a better definition can be made. From what > > you wrote I cannot distinguish between a Firewall and an ACL. > > An ACL is a policy. A firewall is a device that enforces filtering > policies. > > [Rick] Your definition would encompass routers and switches who have ACL/Filters on interfaces/SVIs. I would not consider these firewalls. > > > No mention > > of state tracking for instance etc. > > Ok, will try to add somethin in this respect. > > [Rick] Please do, as Ca mentions this is how the vast majority of the world define it as. This even includes common compliance audits like PCI/SOC etc. > > > > Defense-in-depth - I think you should define this term in this section > > since you go on to use it in following sections. > > Will do. > > > > > Section 3.3: > > > > The sentence: > > > > "By that line of reasoning, a firewall primarily protects > > infrastructure, by preventing traffic that would attack it from it." > > > > I think flows better as: > > > > "By that line of reasoning, a firewall primarily protects > > infrastructure, by preventing traffic that would attack it." > > > > or > > > > "A firewall primarily protects against infrastructure attacks." > > This seond option my work. (Your first option changes the meaning of the > sentence). > > > > > Section 5.1: > > > > "The drawback of this approach is that the security goal of "block > > traffic unless it is explicitly allowed" prevents useful new > applications." > > > > I am not sure I understand this line. It blocks new applications from > > immediately traversing the firewall. I know from experience though that > > when a discussion is had with the NetSec team the application can be > > added to the allow list. So not sure a "default deny" means new stuff > > never gets allowed as the text insinuates. > > Well, that depends on where the firewall is being deployed, and if it is > actively managed. > > [Rick] I am unaware of any firewall deployed that is no longer managed. The only cases I can think of is if the company has fired all engineers after initial deployment. This would make it a business problem, not a technical one since appropriate staffing is a business item. Placement of the firewall is moot since if staffing is done correctly the scenario I describe above should happen. If not staffed properly the business has issues not related to creating new applications. In other words it is not really the firewalls fault but the business for not having anyone to maintain a piece of gear they deployed. > > > > Section 6: > > > > There are temporary IPv4 addresses too. > > Not by definition I'd say. Or... would you mind elaborating a bit more > in this respect? > > [Rick] My apologies on this one got some wires crossed. This is good to go. > > > > As for application being tunneled over well-known ports that sounds like > > a breakdown of communication between the Service Owners and NetSec. > > Simple communication *should* lead to the creation of a profile for that > > new application and its individual port. By doing what you describe it > > sounds like a Service Owner trying to get out of doing due diligence > > with NetSec or not knowing what port their application needs for access > > (More common than you might think). > > Yes. Or, at times, a user/app trying to circumvent unmanaged firewalls. > -- Ironically, at times these protocols are referred to as "firewall > friendly". > [Rick] The scenario makes no sense other than a mismanaged company frankly. You are essentially encouraging something against BCP. Even beyond security you will make it difficult to troubleshoot if everything is using the same port to traverse the firewall. > > Thanks! > > Best regards, > -- > Fernando Gont > SI6 Networks > e-mail: [email protected] > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > > >
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
