Hi Marco -1 for me, no place for NAT in an IPv6 FW doc
Regards Bob 07958 318592 Life's for sharing... and what I like to share the most is a smile -----Original Message----- From: OPSEC [mailto:[email protected]] On Behalf Of Marco Ermini Sent: 31 March 2014 18:36 To: [email protected] Subject: Re: [OPSEC] comments for firewall draft -----Original Message----- From: OPSEC [mailto:[email protected]] On Behalf Of Simon Perreault Sent: Monday, March 31, 2014 6:53 PM To: [email protected] Subject: Re: [OPSEC] comments for firewall draft > Do you have specific things in mind that the draft should say on this topic? > > IMHO, the fact that NAT is common in firewall equipment is irrelevant. > Many other functions are common: IPSEC gateway, SSL VPN, IDS, etc. etc. > etc. A draft covering everything would be a huge effort with low chance of > success. > > I would prefer this draft to remain focused on the core firewall function. Well, then the argument is: is NAT a central function in a firewall, especially in an IPv6 one? I do believe NAT is a bit different than the others you mentioned, because in the great majority of circumstances you would really use a firewall to perform NAT. In all of the other cases you mentioned (VPN, NIDS, etc.) they may be enabled with a license in environments where no better solution is desired, required or could be afforded; but they are really not central to a firewall, and are better performed with a dedicated system. Mileage may vary with different firewall brands; e.g. with Juniper, SSL VPN is better provided by a dedicated security gateway appliance, while in Cisco or Palo Alto there is more convergence and this function is enabled by license. Anyway, all of them (thinking especially about NIDS/NIPS) are better provided by dedicated appliances and are not really so central for a firewall. Worth to be noted, in the original RFP document I redacted, there were also all of these functions, but they were removed as it would have been too many things to discuss at once. However, I do think that NAT may have some special merit. Therefore it would be good to collect votes on that. So far I got 3+ and 1- if I am not wrong. Marco Ermini Senior IT Security and Compliance Analyst ResMed Germany Inc Fraunhofer Str. 16 - 82152 - Martinsried - Germany ResMed.com ---------------------------------------------------------------------- Warning: Copyright ResMed. Where the contents of this email and/or attachment includes materials prepared by ResMed, the use of those materials is subject exclusively to the conditions of engagement between ResMed and the intended recipient. This communication is confidential and may contain legally privileged information. By the use of email over the Internet or other communication systems, ResMed is not waiving either confidentiality of, or legal privilege in, the content of the email and of any attachments. If the recipient of this message is not the intended addressee, please call ResMed immediately on 1 (800) 424-0737 USA. ---------------------------------------------------------------------- _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec NOTICE AND DISCLAIMER This e-mail (including any attachments) is intended for the above-named person(s). If you are not the intended recipient, notify the sender immediately, delete this email from your system and do not disclose or use for any purpose. We may monitor all incoming and outgoing emails in line with current legislation. We have taken steps to ensure that this email and attachments are free from any virus, but it remains your responsibility to ensure that viruses do not adversely affect you. EE Limited Registered in England and Wales Company Registered Number: 02382161 Registered Office Address: Trident Place, Mosquito Way, Hatfield, Hertfordshire, AL10 9BW _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
