RE: ISMS working group and charter problems
"Thomas Gal" <thomas.gal@triagewireless.com> Tue, 06 September 2005 23:43 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ECn69-0001P1-9u; Tue, 06 Sep 2005 19:43:29 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ECn67-0001Ok-5l for ietf@megatron.ietf.org; Tue, 06 Sep 2005 19:43:27 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA16287 for <ietf@ietf.org>; Tue, 6 Sep 2005 19:43:24 -0400 (EDT)
Message-Id: <200509062343.TAA16287@ietf.org>
Received: from epsilon.postal.redwire.net ([64.186.240.40]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1ECn99-0001ex-Vt for ietf@ietf.org; Tue, 06 Sep 2005 19:46:37 -0400
Received: (qmail 28335 invoked from network); 6 Sep 2005 16:43:15 -0700
Received: from c-064-186-224-138.sd2.redwire.net (HELO horatio) (tom.gal@64.186.224.138) by smtp.redwire.net with SMTP; 6 Sep 2005 16:43:15 -0700
From: Thomas Gal <thomas.gal@triagewireless.com>
To: "'Steven M. Bellovin'" <smb@cs.columbia.edu>, 'Iljitsch van Beijnum' <iljitsch@muada.com>
Date: Tue, 06 Sep 2005 16:43:30 -0700
Organization: Triage Wireless
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
In-Reply-To: <20050906230450.9BB1E3BFD6F@berkshire.machshav.com>
Thread-Index: AcWzOUFMA6vModC6RiyiTiqUd5+z4gAAbSIQ
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f4c2cf0bccc868e4cc88dace71fb3f44
Content-Transfer-Encoding: 7bit
Cc: 'IETF Discussion' <ietf@ietf.org>, 'Daniel Senie' <dts@senie.com>
Subject: RE: ISMS working group and charter problems
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: tom@triagewireless.com
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
>>> Actually, a "Firewall Considerations" section would make sense. >> Agreed. >>What would be in such a section? There are only three possibilities: >> >>1. There is no firewall: no need for text. >>2. There is a firewall, and it doesn't try to block the protocol: no >>need for text. >>3. There is a firewall, and it tries to block the protocol. >> >>So what text would be helpful in case #3? Either the firewall >>successfully blocks the protocol and the firewall works and the >>protocol doesn't, or the firewall doesn't manage to block the protocol >>and the protocol works but the firewall doesn't. So whatever happens, >>someone is going to be unhappy. >> >Not at all. Often, a firewall needs to know a fair amount about the protocol to do its job. FTP is the simplest >case -- it has to look for the PORT (and, in some configuration, the PASV) command. H.323 and SIP are more >complex. > Exactly, ignoring the particulars of a protocol and choosing to just block/not block it doesn't really make the firewall useful to that protocol. That's certainly one of the valid choices for a firewall to take, however. >But for complex protocols, we need to go a step further. SIP has, built-in, provision for gateways. There are a >number of reasons for this, but firewall friendliness is certainly one of them. The proper question is this: >>would adding something to the protocol enable it to operate properly in the presence of a firewall *without* >>subverting site security policy. The lack of that latter consideration has led to people using http as the >>universal firewall traversal protocol, with the obvious bad side-effects. Indeed this section could be a way of documenting the proper behavior of a firewall in the context of a certain protocol. For example a firewall could say with regard to protocol X I either: A) treat it as unknown/don't recognize the protocol <- this is fine if you don't use the protocol B) meet the full criteria specified in the "Firewall Considerations" section <-this may be a factor if the particular protocol receives heavy use in your organization C) Do something inbetween, which while possibly helpful should not be considered compliant for the sake of differentiating devices. Much like you can configure port forwarding and a DMZ among a multitude of other things commonly on firwall/nats allowing for the possibility of consistent behavior/options relating to a new protocol among firewall vendors MUST be better than leaving it to itself like has happened with the NAT situation. -Tom _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Dave Crocker
- Re: ISMS working group and charter problems Daniel Senie
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- Re: ISMS working group and charter problems Sam Hartman
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Sam Hartman
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Pekka Savola
- Re: ISMS working group and charter problems Dave Crocker
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Dave Crocker
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- RE: ISMS working group and charter problems Thomas Gal
- RE: ISMS working group and charter problems Daniel Senie
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- RE: ISMS working group and charter problems Thomas Gal
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Randy Presuhn
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Harald Tveit Alvestrand
- Re: ISMS working group and charter problems Dave Singer
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- Re: ISMS working group and charter problems Brian E Carpenter
- Re: ISMS working group and charter problems Juergen Quittek
- Re: ISMS working group and charter problems Jari Arkko
- Re: ISMS working group and charter problems Juergen Quittek
- Re: ISMS working group and charter problems Jari Arkko
- Firewall considerations (Re: ISMS working group a… Harald Tveit Alvestrand
- Re: ISMS working group and charter problems Melinda Shore
- Re: ISMS working group and charter problems Margaret Wasserman
- Re: ISMS working group and charter problems Margaret Wasserman
- Re: ISMS working group and charter problems Michael Thomas
- Re: ISMS working group and charter problems Margaret Wasserman
- Confusion about ISMS rechartering Sam Hartman
- Re: Confusion about ISMS rechartering Dave Crocker
- RE: ISMS working group and charter problems Fleischman, Eric
- RE: ISMS working group and charter problems Fleischman, Eric
- RE: ISMS working group and charter problems Margaret Wasserman
- RE: ISMS working group and charter problems Fleischman, Eric
- Re: ISMS working group and charter problems Spencer Dawkins
- Re: ISMS working group and charter problems Michael Thomas
- Re: ISMS working group and charter problems Sam Hartman
- Re: ISMS working group and charter problems Juergen Quittek
- Re: ISMS working group and charter problems Daniel Senie
- RE: ISMS working group and charter problems Nelson, David
- Re: ISMS working group and charter problems Tom Petch
- Fwd: ISMS working group and charter problems Rich Morin
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Wes Hardaker
- ISMS working group and charter problems Brent Chapman