Hi, Linda, On 09/17/2015 06:15 PM, Linda Dunbar wrote: > I am also not sure of the intent of this draft. Is the intent of the > draft to provide the guideline on configuring Firewall?
Certainly not. Please see Melinda's comments. > Comment to the first paragraph in Section 10 Recommendation: > > Most deployed FWs are usually not “single purposed” as characterized as > “Zone-based” FW, or “Rule based” FW. A FW that has rules on zones can > also have rules to allow session originated from outside to some > applications. We didn't mean that firewalls are single purposed. Certinly, a given device can implement different kinds of firewalls. That doesn't make our analysis on the kinds of firewalls incorrect, though. > Comment to the second paragraph in Section 10 Recommendation: > In order to achieve the recommendation described by the second paragraph > of the Section 10 Recommendations, the router has to install all the > host routes for “Bob, Alice, etc”. It doesn’t scale. I guess that depends on a number of factors... among others, on the granularity that you talk about. > Comment to “FW SHOULD NOT attempt to perform any kind of DPI”: > Many modern FWs do perform DPIs. Are you saying they should be strip off > the network? They all had legitimate reasons to be deployed, and they > are running fine. You seem to have cut off part of the sentence. It says: firewalls of any type SHOULD NOT attempt to perform the kind of deep packet inspection and surgery that is common with Network Address Translators [RFC2993] And what we mean s not that FWs should not perform the kind of surgery that NAT devices perform (e.g., modifying the application data stream). Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
