IETF Logo Mail Archive

Re: [Int-area] [v6ops] Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-01.txt

Rick Casarez <rick.casarez@gmail.com> Fri, 16 October 2015 12:19 UTC

Return-Path: <rick.casarez@gmail.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31D911A1AB9; Fri, 16 Oct 2015 05:19:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lCN9hbZzZtch; Fri, 16 Oct 2015 05:19:21 -0700 (PDT)
Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AF271A86FF; Fri, 16 Oct 2015 05:19:21 -0700 (PDT)
Received: by wijp11 with SMTP id p11so7615528wij.0; Fri, 16 Oct 2015 05:19:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5PIs9VpKhm466HCXmgkaItbZ1+ZQxOehfgHU/B33/zk=; b=relHq23TfQcCWEaDxAfnwp+/5iB9NzymxP65HWthyCE1EClwe3hsTgnHs4VQPLtLNR +lMGXznCHOYg6MvR1ctIInYqWkud/rebUftNH4lVTSzv89hru49fqfFPGWD9VVRnQjK/ 2nNrWT9R3nxr7V+uQeIlNqZVkoGiZeIVedBD4LxQ7ASyrgOw1pylHJtyV7bPti2oiWKM 4fqx3FRPwc3QWoPZq6U/oZuhH/2KWl4n9RDKj2TmptqzQ4gzICoaVzk8/YhsOO3D+iqJ WgVqbHjSuPUY6xlXqd+vBGxhrUlw2PaDnUJK6n90pBjCfKcNGHfLnL7x80Fr4jrvspFM dEuQ==
MIME-Version: 1.0
X-Received: by 10.180.211.8 with SMTP id my8mr4362596wic.21.1444997959851; Fri, 16 Oct 2015 05:19:19 -0700 (PDT)
Received: by 10.27.108.76 with HTTP; Fri, 16 Oct 2015 05:19:19 -0700 (PDT)
In-Reply-To: <561D0CB7.3040606@si6networks.com>
References: <20151013134530.1812.78498.idtracker@ietfa.amsl.com> <561D0CB7.3040606@si6networks.com>
Date: Fri, 16 Oct 2015 08:19:19 -0400
Message-ID: <CAGWMUT4A5Y=R6KN6oJdGzMOQJ=5aPUr8XJbEhZ3pBJ+hZD8_RA@mail.gmail.com>
From: Rick Casarez <rick.casarez@gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Content-Type: multipart/alternative; boundary="001a11c38e0e193a8b052237ce50"
Archived-At: <http://mailarchive.ietf.org/arch/msg/int-area/q-FaRHvsU5CaeN705640TcOzZ54>
X-Mailman-Approved-At: Wed, 21 Oct 2015 20:15:00 -0700
Cc: "opsawg@ietf.org" <opsawg@ietf.org>, Internet Area <int-area@ietf.org>, IPv6 Operations <v6ops@ietf.org>
Subject: Re: [Int-area] [v6ops] Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-01.txt
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2015 12:19:28 -0000

While I get amused reading such things are we sure we need lines like this
in the document?

"...and attempts to end the bickering on the topic, which is, for the most
part, of little value in illuminating the discussion."

A few parts of the introduction I think can be re-worded to express the
issues professionally without getting people defensive by making the
statements you are making. Rise above it.

In Section 2:

Firewall - I am wondering if a better definition can be made. From what you
wrote I cannot distinguish between a Firewall and an ACL. No mention of
state tracking for instance etc.

Defense-in-depth - I think you should define this term in this section
since you go on to use it in following sections. It helps by also showing
the differences between it and perimeter.

Section 3.3:

The sentence:

"By that line of reasoning, a firewall primarily protects infrastructure,
by preventing traffic that would attack it from it."

I think flows better as:

"By that line of reasoning, a firewall primarily protects infrastructure,
by preventing traffic that would attack it."

or

"A firewall primarily protects against infrastructure attacks."

Section 5.1:

"The drawback of this approach is that the security goal of "block traffic
unless it is explicitly allowed" prevents useful new applications."

I am not sure I understand this line. It blocks new applications from
immediately traversing the firewall. I know from experience though that
when a discussion is had with the NetSec team the application can be added
to the allow list. So not sure a "default deny" means new stuff never gets
allowed as the text insinuates.

Section 6:

There are temporary IPv4 addresses too. Usually the prefix is allowed with
a set access or security profile. The only problems I am aware of is if you
mix hosts with differing access/security profiles into one subnet. This is
fixed by designating subnets for specific profiles. IPv6 is not any
different and can work the same way.

As for application being tunneled over well-known ports that sounds like a
breakdown of communication between the Service Owners and NetSec. Simple
communication *should* lead to the creation of a profile for that new
application and its individual port. By doing what you describe it sounds
like a Service Owner trying to get out of doing due diligence with NetSec
or not knowing what port their application needs for access (More common
than you might think).

-------------------
Cheers, Rick

Experiences not things.

On Tue, Oct 13, 2015 at 9:52 AM, Fernando Gont <fgont@si6networks.com>
wrote:

> FYI.
>
> This rev hopefully addresses some/most/all of the comments received so
> far (mostly by Eric Vyncke and James Woodyatt).
>
> More comments/feedback will be welcome.
>
> Thanks,
> Fernando
>
>
>
>
> -------- Forwarded Message --------
> Subject: New Version Notification for
> draft-gont-opsawg-firewalls-analysis-01.txt
> Date: Tue, 13 Oct 2015 06:45:30 -0700
> From: internet-drafts@ietf.org
> To: Fred Baker <fred@cisco.com>, Fernando Gont <fgont@si6networks.com>
>
>
> A new version of I-D, draft-gont-opsawg-firewalls-analysis-01.txt
> has been successfully submitted by Fernando Gont and posted to the
> IETF repository.
>
> Name:           draft-gont-opsawg-firewalls-analysis
> Revision:       01
> Title:          On Firewalls in Network Security
> Document date:  2015-10-13
> Group:          Individual Submission
> Pages:          17
> URL:
>
> https://www.ietf.org/internet-drafts/draft-gont-opsawg-firewalls-analysis-01.txt
> Status:
> https://datatracker.ietf.org/doc/draft-gont-opsawg-firewalls-analysis/
> Htmlized:
> https://tools.ietf.org/html/draft-gont-opsawg-firewalls-analysis-01
> Diff:
> https://www.ietf.org/rfcdiff?url2=draft-gont-opsawg-firewalls-analysis-01
>
> Abstract:
>    This document analyzes the role of firewalls in network security, and
>    suggests a line of reasoning about their usage.  It analyzes common
>    kinds of firewalls and the claims made for them.
>
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
>
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email