Fernando, Fred and Paul, Sorry for belated reply, here are a couple of comments:
The title is a little ambiguous IMHO it is "On Firewalls in Security" (because they also apply inside an 'intranet') or "On Firewalls in Internet Protocol (IP) Security" or "On firewalls and Security of the Internet" ? The introduction looks more like an history, so should perhaps be renamed? Terminology section should perhaps appear more like an usual terminology section and not as a free-form text? Section 3.2 (end to end principle) is interesting but is a little complex to read. Section 3.3, unsure whether I am reading it correctly but I don't agree with the statement that firewall can protect the (network) infrastructure against DoS attack (as hinted by "message volume overwhelms"). Rate limiters or DoS scrubbing devices do not qualify as 'firewall' IMHO. I think section 3.4 (a good one) rather belongs to section 4 and should align the taxonomy. Section 4.1, split the first paragraph in two parts. The second one being the example given => to make it clear that the "sessions may never be initiated from the outside" belongs to the example only Section 4.1, 2nd paragraph, the word 'testing' has an active tone in my (non native) English, why not using a more passive verb such as "inspect" or "check" ? Section 4.1, at the risk of appearing as 'purist', I would move the NAT section from this section and create one on this topic. Section 4.2, or rather the perimeter exists but it very very small : one physical link :-) or wider: one logical perimeter without any strict geographical boundaries. Section 4.2, should make it clear that the 'tagging' is required (being IEEE 802.1Q VLAN tag or ...), and, the end of the section is rather negative on this specific FW. Section 4.3, I like it of course :-), and I agree there are now scalable algorithm to detect anomalies even with a single node (thanks to self-learning :-)) Section 4.3, "Reputation databases have a bad reputation" is a fun sentence :-) Section 5, I would also use the words of white and black lists as they are well-known. I wonder also why there is a specific section 5.1 without a section 5.2? I would remove this heading and keep the text. Don't forget to mention HTTP 2.0 & works such as QUIC. Section 6, should also mention that FTP & SIP can be used for dynamic ports. It should also mention/repeat that port 80 is not only about HTTP but for many protocols 'tunneled' over HTTP. Section 6, temporary addresses are indeed annoying in some cases but IP addresses can also be spoofed. Should mention anti-spoofing? And/or IPSEC AH? Section 7 is about layer-3/layer-4 'packet filtering' which is a specific kind of firewalls while the I-D title appears to be more generic. I suggest to keep the section but make title more specific and add some introduction sentences to this section. Section 7, I like the point about FW becoming the DoS :-) (which is plain true). Section 8, kind of repeats a former point... Useful text but should unify and at a single location Section 10 is of course looking for heated comments from the community... Here are a couple: - wonder whether the IETF could have recommendations for all cases? Moreover, situation will probably continue to evolve - zone-based should also allow ICMP inbound ;-) - do we really want to trust PCP? - role-based, the routing technique is introduce now and not previously? - the routing technique would probably be complex to introduce and have some scaling limit? There are also important (IMHO) topics MISSING: - more and more traffic are encrypted, good for privacy, bad for firewalls as they are blind now and mostly useless - recommendation for NOT BLOCKING traffic over the Internet (except to each ISP own infrastructure)? - logging / auditing function is missing (talking about security here) - logging of event is missing (talking about operation here) Hope this helps to improve this -00 version which is already quite complete -éric On 15/09/15 03:04, "OPSEC on behalf of Fernando Gont" <[email protected] on behalf of [email protected]> wrote: >Folks, > >We have published an I-D entitled "On Firewalls in Internet Security". >The I-D is available at: ><https://www.ietf.org/internet-drafts/draft-gont-opsawg-firewalls-analysis >-00.txt>. > >Our I-D covers a broad range of topics (ranging from operations to >internet and transport area topics) -- hence the crosspost of this >announcement to multiple mailing-lists. > >While we (co-authors) are subscribed to most of the lists to which this >announcement is being crossposted, we expect (for the sake of unifying >the discussion in a single place) the discussion to happen in the >[email protected] mailing-list. > >Your feedback will be very welcome. > >Thanks! > >Best regards, >Fernando > > > > >-------- Forwarded Message -------- >Subject: New Version Notification for >draft-gont-opsawg-firewalls-analysis-00.txt >Date: Mon, 14 Sep 2015 17:49:41 -0700 >From: [email protected] >To: Paul E. Hoffman <[email protected]>, Fernando Gont ><[email protected]>, Fernando Gont <[email protected]>, Fred >Baker <[email protected]>, Fred Baker <[email protected]>, Paul Hoffman ><[email protected]> > > >A new version of I-D, draft-gont-opsawg-firewalls-analysis-00.txt >has been successfully submitted by Fernando Gont and posted to the >IETF repository. > >Name: draft-gont-opsawg-firewalls-analysis >Revision: 00 >Title: On Firewalls in Internet Security >Document date: 2015-09-15 >Group: Individual Submission >Pages: 17 >URL: >https://www.ietf.org/internet-drafts/draft-gont-opsawg-firewalls-analysis- >00.txt >Status: >https://datatracker.ietf.org/doc/draft-gont-opsawg-firewalls-analysis/ >Htmlized: >https://tools.ietf.org/html/draft-gont-opsawg-firewalls-analysis-00 > > >Abstract: > This document analyzes the role of firewalls in Internet security, > and suggests a line of reasoning about their usage. It analyzes > common kinds of firewalls and the claims made for them. > > > > > >Please note that it may take a couple of minutes from the time of >submission >until the htmlized version and diff are available at tools.ietf.org. > >The IETF Secretariat > > > > >_______________________________________________ >OPSEC mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/opsec _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
