Firewall considerations (Re: ISMS working group and charter problems)
Harald Tveit Alvestrand <harald@alvestrand.no> Wed, 07 September 2005 11:35 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ECyDe-0000GC-LX; Wed, 07 Sep 2005 07:35:58 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ECyDc-0000G4-04 for ietf@megatron.ietf.org; Wed, 07 Sep 2005 07:35:56 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA12785 for <ietf@ietf.org>; Wed, 7 Sep 2005 07:35:55 -0400 (EDT)
Received: from eikenes.alvestrand.no ([158.38.152.233]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ECyGl-0002F8-8z for ietf@ietf.org; Wed, 07 Sep 2005 07:39:12 -0400
Received: from localhost (eikenes.alvestrand.no [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id C1CAC320097; Wed, 7 Sep 2005 13:35:22 +0200 (CEST)
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29930-04; Wed, 7 Sep 2005 13:35:19 +0200 (CEST)
Received: from halvestr-w2k02.emea.cisco.com (eikenes.alvestrand.no [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id D27EF320092; Wed, 7 Sep 2005 13:35:18 +0200 (CEST)
Date: Wed, 07 Sep 2005 13:34:02 +0200
From: Harald Tveit Alvestrand <harald@alvestrand.no>
To: Iljitsch van Beijnum <iljitsch@muada.com>, Daniel Senie <dts@senie.com>
Message-ID: <408BD75D81163B93FB7F3E61@B50854F0A9192E8EC6CDA126>
In-Reply-To: <9A2BB5EF-A137-439D-81AF-40B784D541A9@muada.com>
References: <CBB3A9E7-295F-461F-8627-2DD6EDA85769@muada.com> <200509062206.SAA03802@ietf.org> <6.2.3.4.2.20050906181309.07350830@mail.amaranth.net> <9A2BB5EF-A137-439D-81AF-40B784D541A9@muada.com>
X-Mailer: Mulberry/4.0.3 (Win32)
MIME-Version: 1.0
X-Virus-Scanned: by amavisd-new at alvestrand.no
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 082a9cbf4d599f360ac7f815372a6a15
Cc: IETF Discussion <ietf@ietf.org>
Subject: Firewall considerations (Re: ISMS working group and charter problems)
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0777351815=="
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
--On 7. september 2005 00:30 +0200 Iljitsch van Beijnum <iljitsch@muada.com> wrote: > What would be in such a section? There are only three possibilities: > > 1. There is no firewall: no need for text. > 2. There is a firewall, and it doesn't try to block the protocol: no > need for text. > 3. There is a firewall, and it tries to block the protocol. actually I would put it differently.... 1. There is no firewall: no need for text 2. The firewall manager desires to let the connection go through (while not making any other changes in policy) 2a. The firewall allows the manager to express this desire in policy 2b. The firewall does not allow the manager to express this desire 3. The firewall manager desires to block this type of connection (while not making any other changes in policy) 3a. The firewall allows the manager to express this desire in policy 3b. The firewall does not allow the manager to express this desire 2a is the common case (I think) if the firewall has NAT as part of the "defense" mechanism; you can't get from the "outside" to the "inside" even if you want to (unless you do <ugly stuff>, of course) 3b is the common case for protocols tunneled over HTTP with simple-minded firewalls; that's why "deep packet inspection" products sell so well.... A "firewall considerations" section (ObRant: Mandatory Sections Are Bad) would discuss how to turn 2a and 3b into 2b and 3a.... for instance, such a section on RTP/SIP might discuss what you need to snoop on in order to open the proper "media holes" in your firewall, and why signing your SIP requests is better than encrypting them in this scenario <architectural choking sounds deleted>....... Harald
_______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Dave Crocker
- Re: ISMS working group and charter problems Daniel Senie
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- Re: ISMS working group and charter problems Sam Hartman
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Sam Hartman
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Pekka Savola
- Re: ISMS working group and charter problems Dave Crocker
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Dave Crocker
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- RE: ISMS working group and charter problems Thomas Gal
- RE: ISMS working group and charter problems Daniel Senie
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- RE: ISMS working group and charter problems Thomas Gal
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Randy Presuhn
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Harald Tveit Alvestrand
- Re: ISMS working group and charter problems Dave Singer
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- Re: ISMS working group and charter problems Brian E Carpenter
- Re: ISMS working group and charter problems Juergen Quittek
- Re: ISMS working group and charter problems Jari Arkko
- Re: ISMS working group and charter problems Juergen Quittek
- Re: ISMS working group and charter problems Jari Arkko
- Firewall considerations (Re: ISMS working group a… Harald Tveit Alvestrand
- Re: ISMS working group and charter problems Melinda Shore
- Re: ISMS working group and charter problems Margaret Wasserman
- Re: ISMS working group and charter problems Margaret Wasserman
- Re: ISMS working group and charter problems Michael Thomas
- Re: ISMS working group and charter problems Margaret Wasserman
- Confusion about ISMS rechartering Sam Hartman
- Re: Confusion about ISMS rechartering Dave Crocker
- RE: ISMS working group and charter problems Fleischman, Eric
- RE: ISMS working group and charter problems Fleischman, Eric
- RE: ISMS working group and charter problems Margaret Wasserman
- RE: ISMS working group and charter problems Fleischman, Eric
- Re: ISMS working group and charter problems Spencer Dawkins
- Re: ISMS working group and charter problems Michael Thomas
- Re: ISMS working group and charter problems Sam Hartman
- Re: ISMS working group and charter problems Juergen Quittek
- Re: ISMS working group and charter problems Daniel Senie
- RE: ISMS working group and charter problems Nelson, David
- Re: ISMS working group and charter problems Tom Petch
- Fwd: ISMS working group and charter problems Rich Morin
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Wes Hardaker
- ISMS working group and charter problems Brent Chapman