Re: [Int-area] [v6ops] Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-01.txt
Rick Casarez <rick.casarez@gmail.com> Fri, 16 October 2015 12:19 UTC
Return-Path: <rick.casarez@gmail.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31D911A1AB9; Fri, 16 Oct 2015 05:19:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lCN9hbZzZtch; Fri, 16 Oct 2015 05:19:21 -0700 (PDT)
Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AF271A86FF; Fri, 16 Oct 2015 05:19:21 -0700 (PDT)
Received: by wijp11 with SMTP id p11so7615528wij.0; Fri, 16 Oct 2015 05:19:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5PIs9VpKhm466HCXmgkaItbZ1+ZQxOehfgHU/B33/zk=; b=relHq23TfQcCWEaDxAfnwp+/5iB9NzymxP65HWthyCE1EClwe3hsTgnHs4VQPLtLNR +lMGXznCHOYg6MvR1ctIInYqWkud/rebUftNH4lVTSzv89hru49fqfFPGWD9VVRnQjK/ 2nNrWT9R3nxr7V+uQeIlNqZVkoGiZeIVedBD4LxQ7ASyrgOw1pylHJtyV7bPti2oiWKM 4fqx3FRPwc3QWoPZq6U/oZuhH/2KWl4n9RDKj2TmptqzQ4gzICoaVzk8/YhsOO3D+iqJ WgVqbHjSuPUY6xlXqd+vBGxhrUlw2PaDnUJK6n90pBjCfKcNGHfLnL7x80Fr4jrvspFM dEuQ==
MIME-Version: 1.0
X-Received: by 10.180.211.8 with SMTP id my8mr4362596wic.21.1444997959851; Fri, 16 Oct 2015 05:19:19 -0700 (PDT)
Received: by 10.27.108.76 with HTTP; Fri, 16 Oct 2015 05:19:19 -0700 (PDT)
In-Reply-To: <561D0CB7.3040606@si6networks.com>
References: <20151013134530.1812.78498.idtracker@ietfa.amsl.com> <561D0CB7.3040606@si6networks.com>
Date: Fri, 16 Oct 2015 08:19:19 -0400
Message-ID: <CAGWMUT4A5Y=R6KN6oJdGzMOQJ=5aPUr8XJbEhZ3pBJ+hZD8_RA@mail.gmail.com>
From: Rick Casarez <rick.casarez@gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Content-Type: multipart/alternative; boundary="001a11c38e0e193a8b052237ce50"
Archived-At: <http://mailarchive.ietf.org/arch/msg/int-area/q-FaRHvsU5CaeN705640TcOzZ54>
X-Mailman-Approved-At: Wed, 21 Oct 2015 20:15:00 -0700
Cc: "opsawg@ietf.org" <opsawg@ietf.org>, Internet Area <int-area@ietf.org>, IPv6 Operations <v6ops@ietf.org>
Subject: Re: [Int-area] [v6ops] Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-01.txt
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2015 12:19:28 -0000
While I get amused reading such things are we sure we need lines like this in the document? "...and attempts to end the bickering on the topic, which is, for the most part, of little value in illuminating the discussion." A few parts of the introduction I think can be re-worded to express the issues professionally without getting people defensive by making the statements you are making. Rise above it. In Section 2: Firewall - I am wondering if a better definition can be made. From what you wrote I cannot distinguish between a Firewall and an ACL. No mention of state tracking for instance etc. Defense-in-depth - I think you should define this term in this section since you go on to use it in following sections. It helps by also showing the differences between it and perimeter. Section 3.3: The sentence: "By that line of reasoning, a firewall primarily protects infrastructure, by preventing traffic that would attack it from it." I think flows better as: "By that line of reasoning, a firewall primarily protects infrastructure, by preventing traffic that would attack it." or "A firewall primarily protects against infrastructure attacks." Section 5.1: "The drawback of this approach is that the security goal of "block traffic unless it is explicitly allowed" prevents useful new applications." I am not sure I understand this line. It blocks new applications from immediately traversing the firewall. I know from experience though that when a discussion is had with the NetSec team the application can be added to the allow list. So not sure a "default deny" means new stuff never gets allowed as the text insinuates. Section 6: There are temporary IPv4 addresses too. Usually the prefix is allowed with a set access or security profile. The only problems I am aware of is if you mix hosts with differing access/security profiles into one subnet. This is fixed by designating subnets for specific profiles. IPv6 is not any different and can work the same way. As for application being tunneled over well-known ports that sounds like a breakdown of communication between the Service Owners and NetSec. Simple communication *should* lead to the creation of a profile for that new application and its individual port. By doing what you describe it sounds like a Service Owner trying to get out of doing due diligence with NetSec or not knowing what port their application needs for access (More common than you might think). ------------------- Cheers, Rick Experiences not things. On Tue, Oct 13, 2015 at 9:52 AM, Fernando Gont <fgont@si6networks.com> wrote: > FYI. > > This rev hopefully addresses some/most/all of the comments received so > far (mostly by Eric Vyncke and James Woodyatt). > > More comments/feedback will be welcome. > > Thanks, > Fernando > > > > > -------- Forwarded Message -------- > Subject: New Version Notification for > draft-gont-opsawg-firewalls-analysis-01.txt > Date: Tue, 13 Oct 2015 06:45:30 -0700 > From: internet-drafts@ietf.org > To: Fred Baker <fred@cisco.com>, Fernando Gont <fgont@si6networks.com> > > > A new version of I-D, draft-gont-opsawg-firewalls-analysis-01.txt > has been successfully submitted by Fernando Gont and posted to the > IETF repository. > > Name: draft-gont-opsawg-firewalls-analysis > Revision: 01 > Title: On Firewalls in Network Security > Document date: 2015-10-13 > Group: Individual Submission > Pages: 17 > URL: > > https://www.ietf.org/internet-drafts/draft-gont-opsawg-firewalls-analysis-01.txt > Status: > https://datatracker.ietf.org/doc/draft-gont-opsawg-firewalls-analysis/ > Htmlized: > https://tools.ietf.org/html/draft-gont-opsawg-firewalls-analysis-01 > Diff: > https://www.ietf.org/rfcdiff?url2=draft-gont-opsawg-firewalls-analysis-01 > > Abstract: > This document analyzes the role of firewalls in network security, and > suggests a line of reasoning about their usage. It analyzes common > kinds of firewalls and the claims made for them. > > > > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops >
- [Int-area] Fwd: New Version Notification for draf… Fernando Gont
- Re: [Int-area] [v6ops] Fwd: New Version Notificat… Fernando Gont
- Re: [Int-area] [v6ops] Fwd: New Version Notificat… Ca By
- Re: [Int-area] [v6ops] Fwd: New Version Notificat… Fernando Gont
- Re: [Int-area] [v6ops] Fwd: New Version Notificat… Rick Casarez
- Re: [Int-area] [v6ops] Fwd: New Version Notificat… Rick Casarez
- Re: [Int-area] [v6ops] Fwd: New Version Notificat… Rick Casarez