IETF Logo Mail Archive

Re: [Int-area] [v6ops] Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-01.txt

Ca By <cb.list6@gmail.com> Fri, 16 October 2015 21:13 UTC

Return-Path: <cb.list6@gmail.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A1301A1AD0; Fri, 16 Oct 2015 14:13:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PtcQJTUPptO4; Fri, 16 Oct 2015 14:13:51 -0700 (PDT)
Received: from mail-wi0-x22d.google.com (mail-wi0-x22d.google.com [IPv6:2a00:1450:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA4BD1A002A; Fri, 16 Oct 2015 14:13:50 -0700 (PDT)
Received: by wicgb1 with SMTP id gb1so25142251wic.1; Fri, 16 Oct 2015 14:13:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=V5g+OCcLHbMHHyzh/GlYvcnndyM9wWLHYLTD7S+fCEg=; b=ZRURDvwGrdoriQneGudU0INPqxa2C1xSGyZcf0LARy+Pb7l0tyqIfWghGo3FqHX4KG ouyEd1UpNfSKxPoCMXU5/ufxebolOjPowW8S0+ygMg6G7zqJV/BJ2awaVIw5puD+VdoP XspxBkoJnysh4LAF8zeiiqvKnQeJ3VorX1V6J2iQ2boFn6GWB3xZ5e5H3YuIb6DTKnJp 7qREyJn60/mLBvVXE7MkgjYqeN9DGdSoFy/+/XCfaoaBPu6/0CodID1a8Rw/JNRTqjro 3b94FB/lvpjf8H365MJ1GUe6L99NtRZ7ImmhtPz7Dq53zM0b60khGr22zn+GbHP1BEh0 iF0w==
MIME-Version: 1.0
X-Received: by 10.180.104.69 with SMTP id gc5mr7313825wib.69.1445030029313; Fri, 16 Oct 2015 14:13:49 -0700 (PDT)
Received: by 10.194.192.40 with HTTP; Fri, 16 Oct 2015 14:13:49 -0700 (PDT)
In-Reply-To: <562155BC.6030701@si6networks.com>
References: <20151013134530.1812.78498.idtracker@ietfa.amsl.com> <561D0CB7.3040606@si6networks.com> <CAGWMUT4A5Y=R6KN6oJdGzMOQJ=5aPUr8XJbEhZ3pBJ+hZD8_RA@mail.gmail.com> <562155BC.6030701@si6networks.com>
Date: Fri, 16 Oct 2015 14:13:49 -0700
Message-ID: <CAD6AjGTt4tNkMXbDLQMMRWq7ydJQ4uthAbre-kc6W3rsSTmucQ@mail.gmail.com>
From: Ca By <cb.list6@gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Content-Type: multipart/alternative; boundary="f46d043bdbe6964ea605223f453b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/int-area/BhUc77AyKaOG_LMJLcUkF3gDihs>
Cc: "opsawg@ietf.org" <opsawg@ietf.org>, Internet Area <int-area@ietf.org>, Rick Casarez <rick.casarez@gmail.com>, IPv6 Operations <v6ops@ietf.org>
Subject: Re: [Int-area] [v6ops] Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-01.txt
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2015 21:13:53 -0000

I think this is important work, but i think this draft is too broad to be
effective in its current form.  I think it would be a great value to adopt
the common enterprise network view and scope of a "stateful firewall" that
most people
think of... from the likes of Checkpoint, Palo Alto, ...


On Fri, Oct 16, 2015 at 12:53 PM, Fernando Gont <fgont@si6networks.com>
wrote:

> Hi, Rick,
>
> Thanks so much for your feedback! Please find my responses in-line...
>
> On 10/16/2015 09:19 AM, Rick Casarez wrote:
> > While I get amused reading such things are we sure we need lines like
> > this in the document?
> >
> > "...and attempts to end the bickering on the topic, which is, for the
> > most part, of little value in illuminating the discussion."
> >
> > A few parts of the introduction I think can be re-worded to express the
> > issues professionally without getting people defensive by making the
> > statements you are making. Rise above it.
>
> I'll re-check the text -- The Intro was going to be re-worked, anyway.
>
>
>
> > In Section 2:
> >
> > Firewall - I am wondering if a better definition can be made. From what
> > you wrote I cannot distinguish between a Firewall and an ACL.
>
> An ACL is a policy. A firewall is a device that enforces filtering
> policies.
>
>
This defintion makes every on path device a firewall.  This is not a good
places to go.


> > No mention
> > of state tracking for instance etc.
>
> Ok, will try to add somethin in this respect.
>
>
>
This is the core of what 99% of the world thinks a firewall is.


>
> > Defense-in-depth - I think you should define this term in this section
> > since you go on to use it in following sections.
>
> Will do.
>
>
>
> > Section 3.3:
> >
> > The sentence:
> >
> > "By that line of reasoning, a firewall primarily protects
> > infrastructure, by preventing traffic that would attack it from it."
> >
> > I think flows better as:
> >
> > "By that line of reasoning, a firewall primarily protects
> > infrastructure, by preventing traffic that would attack it."
> >
> > or
> >
> > "A firewall primarily protects against infrastructure attacks."
>
> This seond option my work. (Your first option changes the meaning of the
> sentence).
>
>
>
eh...what is infrastructure... slippery slope here.


> > Section 5.1:
> >
> > "The drawback of this approach is that the security goal of "block
> > traffic unless it is explicitly allowed" prevents useful new
> applications."
> >
> > I am not sure I understand this line. It blocks new applications from
> > immediately traversing the firewall. I know from experience though that
> > when a discussion is had with the NetSec team the application can be
> > added to the allow list. So not sure a "default deny" means new stuff
> > never gets allowed as the text insinuates.
>
> Well, that depends on where the firewall is being deployed, and if it is
> actively managed.
>
>
Actively managed vs not actively are worlds apart.  Do not lump them
together.

Same with stateful vs stateless


>
>
> > Section 6:
> >
> > There are temporary IPv4 addresses too.
>
> Not by definition I'd say. Or... would you mind elaborating a bit more
> in this respect?
>
>
>
> > As for application being tunneled over well-known ports that sounds like
> > a breakdown of communication between the Service Owners and NetSec.
> > Simple communication *should* lead to the creation of a profile for that
> > new application and its individual port. By doing what you describe it
> > sounds like a Service Owner trying to get out of doing due diligence
> > with NetSec or not knowing what port their application needs for access
> > (More common than you might think).
>
> Yes. Or, at times, a user/app trying to circumvent unmanaged firewalls.
> -- Ironically, at times these protocols are referred to as "firewall
> friendly".
>
>
Yes... own the PC via Phishing or Flash, then use PCP from the PC to open
all the rules you want!

CB


> Thanks!
>
> Best regards,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email