Re: [Int-area] [OPSEC] "On Firewalls in Internet Security" (Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-00.txt)
Fernando Gont <fgont@si6networks.com> Fri, 09 October 2015 10:25 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 498151A8AAE; Fri, 9 Oct 2015 03:25:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 78aoGP_iibxw; Fri, 9 Oct 2015 03:25:42 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 287FF1A8AAD; Fri, 9 Oct 2015 03:25:41 -0700 (PDT)
Received: from 17-182-245-190.fibertel.com.ar ([190.245.182.17] helo=[192.168.3.107]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from <fgont@si6networks.com>) id 1ZkUrl-0005m9-HF; Fri, 09 Oct 2015 12:25:34 +0200
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "opsawg@ietf.org" <opsawg@ietf.org>
References: <20150915004941.13204.35415.idtracker@ietfa.amsl.com> <55F76EA7.6090405@si6networks.com> <D2386149.59FC9%evyncke@cisco.com>
From: Fernando Gont <fgont@si6networks.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <56179631.8060803@si6networks.com>
Date: Fri, 09 Oct 2015 07:25:53 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <D2386149.59FC9%evyncke@cisco.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/int-area/xgsFY9sleZHLkAL5hdXnMB_f-vo>
Cc: IPv6 Operations <v6ops@ietf.org>, Internet Area <int-area@ietf.org>, tsvwg <tsvwg@ietf.org>, draft-gont-opsawg-firewalls-analysis@tools.ietf.org, "'opsec@ietf.org'" <opsec@ietf.org>, TSV Area <tsv-area@ietf.org>
Subject: Re: [Int-area] [OPSEC] "On Firewalls in Internet Security" (Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-00.txt)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Oct 2015 10:25:45 -0000
Hi, Eric, Thanks so much for your feedback! Please find my comments in-line.... On 10/05/2015 12:57 PM, Eric Vyncke (evyncke) wrote: > Fernando, Fred and Paul, > > Sorry for belated reply, here are a couple of comments: > > The title is a little ambiguous IMHO it is "On Firewalls in Security" > (because they also apply inside an 'intranet') or "On Firewalls in > Internet Protocol (IP) Security" or "On firewalls and Security of the > Internet" ? How about "On Firewalls in Network Security"? > The introduction looks more like an history, so should perhaps be renamed? How about splitting the historical part into a stand-alone section renamed as "Firewalls in the IETF" or the like? > Terminology section should perhaps appear more like an usual terminology > section and not as a free-form text? mm.. I guess that from the current contents we can define "firewall" and "perimeter"? > Section 3.2 (end to end principle) is interesting but is a little complex > to read. Any suggestions on how to improve the text? > Section 3.3, unsure whether I am reading it correctly but I don't agree > with the statement that firewall can protect the (network) infrastructure > against DoS attack (as hinted by "message volume overwhelms"). Rate > limiters or DoS scrubbing devices do not qualify as 'firewall' IMHO. Could you elaborate a bit? e.g., why wouldn't a rate-limited qualify as a firewall? > I think section 3.4 (a good one) rather belongs to section 4 and should > align the taxonomy. Yep. Looks like we could move this into the base Section 4. (Or were you meaning something else?) > Section 4.1, split the first paragraph in two parts. The second one being > the example given => to make it clear that the "sessions may never be > initiated from the outside" belongs to the example only OK, will do. > Section 4.1, 2nd paragraph, the word 'testing' has an active tone in my > (non native) English, why not using a more passive verb such as "inspect" > or "check" ? Agreed. Will do. > Section 4.1, at the risk of appearing as 'purist', I would move the NAT > section from this section and create one on this topic. Please let me think about this one. f you have any suggestions regarding whre in the I-D you'd put such a section, please let me know. > Section 4.2, or rather the perimeter exists but it very very small : one > physical link :-) or wider: one logical perimeter without any strict > geographical boundaries. Yes. :-) > Section 4.2, should make it clear that the 'tagging' is required (being > IEEE 802.1Q VLAN tag or ...), OK. > and, the end of the section is rather > negative on this specific FW. I see... any hints for improvement? > Section 4.3, I like it of course :-), and I agree there are now scalable > algorithm to detect anomalies even with a single node (thanks to > self-learning :-)) Could you elaborate a bit? :-) > Section 4.3, "Reputation databases have a bad reputation" is a fun > sentence :-) Indeed! :-) > Section 5, I would also use the words of white and black lists as they are > well-known. I wonder also why there is a specific section 5.1 without a > section 5.2? Section 5.2 was forthcomming... (will hopefuly be there in version -01 of the I-D) > I would remove this heading and keep the text. Don't forget > to mention HTTP 2.0 & works such as QUIC. Will do. > Section 6, should also mention that FTP & SIP can be used for dynamic > ports. Will do. > It should also mention/repeat that port 80 is not only about HTTP > but for many protocols 'tunneled' over HTTP. Will do. > Section 6, temporary addresses are indeed annoying in some cases but IP > addresses can also be spoofed. What we meant here is that things like IPv6 temporary addresses change such assumption. But yes, we should comment on spoofing. > Should mention anti-spoofing? And/or IPSEC > AH? Anti spoofing in terms of RPF, or something else? > Section 7 is about layer-3/layer-4 'packet filtering' which is a specific > kind of firewalls while the I-D title appears to be more generic. I > suggest to keep the section but make title more specific and add some > introduction sentences to this section. Good grief! Will do. > Section 8, kind of repeats a former point... Useful text but should unify > and at a single location You mean with Section 4.1? > Section 10 is of course looking for heated comments from the community... [FWIW, Section 10 will be split into a different document... such that the heat happens elsewhere :-) ] > Here are a couple: > - wonder whether the IETF could have recommendations for all cases? Certainly not for all -- but better to have something covered, than nothing :-) > Moreover, situation will probably continue to evolve > - zone-based should also allow ICMP inbound ;-) .... if they relate to an ongoing session? > There are also important (IMHO) topics MISSING: > - more and more traffic are encrypted, good for privacy, bad for firewalls > as they are blind now and mostly useless Yes and no. If you mean TLS, it prevents DPI, but still allows for filtering based on port numbers... > - recommendation for NOT BLOCKING traffic over the Internet (except to > each ISP own infrastructure)? not blocking which sort of traffic? > - logging / auditing function is missing (talking about security here) > - logging of event is missing (talking about operation here) Do you mean in the recommendations section, or elsewhere? Thanks so much! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [Int-area] "On Firewalls in Internet Security" (F… Fernando Gont
- Re: [Int-area] [OPSEC] "On Firewalls in Internet … Fernando Gont
- Re: [Int-area] [OPSEC] "On Firewalls in Internet … Hannes Tschofenig
- Re: [Int-area] [OPSAWG] [OPSEC] "On Firewalls in … Mark Andrews
- Re: [Int-area] [OPSEC] "On Firewalls in Internet … Fernando Gont
- Re: [Int-area] [OPSAWG] [OPSEC] "On Firewalls in … Fernando Gont
- Re: [Int-area] [OPSAWG] [OPSEC] "On Firewalls in … Mark Andrews
- Re: [Int-area] [OPSAWG] [OPSEC] "On Firewalls in … Blumenthal, Uri - 0553 - MITLL