Re: [OPSAWG] [OPSEC] "On Firewalls in Internet Security" (Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-00.txt)

["Eric Vyncke (evyncke)" <evyncke@cisco.com>]

Fernando, Fred and Paul,

Sorry for belated reply, here are a couple of comments:

The title is a little ambiguous IMHO it is "On Firewalls in Security"
(because they also apply inside an 'intranet') or "On Firewalls in
Internet Protocol (IP) Security" or "On firewalls and Security of the
Internet" ?

The introduction looks more like an history, so should perhaps be renamed?

Terminology section should perhaps appear more like an usual terminology
section and not as a free-form text?

Section 3.2 (end to end principle) is interesting but is a little complex
to read.

Section 3.3, unsure whether I am reading it correctly but I don't agree
with the statement that firewall can protect the (network) infrastructure
against DoS attack (as hinted by "message volume overwhelms"). Rate
limiters or DoS scrubbing devices do not qualify as 'firewall' IMHO.

I think section 3.4 (a good one) rather belongs to section 4 and should
align the taxonomy.

Section 4.1, split the first paragraph in two parts. The second one being
the example given => to make it clear that the "sessions may never be
initiated from the outside" belongs to the example only

Section 4.1, 2nd paragraph, the word 'testing' has an active tone in my
(non native) English, why not using a more passive verb such as "inspect"
or "check" ?

Section 4.1, at the risk of appearing as 'purist', I would move the NAT
section from this section and create one on this topic.

Section 4.2, or rather the perimeter exists but it very very small : one
physical link :-) or wider: one logical perimeter without any strict
geographical boundaries.

Section 4.2, should make it clear that the 'tagging' is required (being
IEEE 802.1Q VLAN tag or ...), and, the end of the section is rather
negative on this specific FW.

Section 4.3, I like it of course :-), and I agree there are now scalable
algorithm to detect anomalies even with a single node (thanks to
self-learning :-))

Section 4.3, "Reputation databases have a bad reputation" is a fun
sentence :-)

Section 5, I would also use the words of white and black lists as they are
well-known. I wonder also why there is a specific section 5.1 without a
section 5.2? I would remove this heading and keep the text. Don't forget
to mention HTTP 2.0 & works such as QUIC.

Section 6, should also mention that FTP & SIP can be used for dynamic
ports. It should also mention/repeat that port 80 is not only about HTTP
but for many protocols 'tunneled' over HTTP.

Section 6, temporary addresses are indeed annoying in some cases but IP
addresses can also be spoofed. Should mention anti-spoofing? And/or IPSEC
AH?

Section 7 is about layer-3/layer-4 'packet filtering' which is a specific
kind of firewalls while the I-D title appears to be more generic. I
suggest to keep the section but make title more specific and add some
introduction sentences to this section.

Section 7, I like the point about FW becoming the DoS :-) (which is plain
true). 

Section 8, kind of repeats a former point... Useful text but should unify
and at a single location

Section 10 is of course looking for heated comments from the community...
Here are a couple:
- wonder whether the IETF could have recommendations for all cases?
Moreover, situation will probably continue to evolve
- zone-based should also allow ICMP inbound ;-)
- do we really want to trust PCP?
- role-based, the routing technique is introduce now and not previously?
- the routing technique would probably be complex to introduce and have
some scaling limit?

There are also important (IMHO) topics MISSING:
- more and more traffic are encrypted, good for privacy, bad for firewalls
as they are blind now and mostly useless
- recommendation for NOT BLOCKING traffic over the Internet (except to
each ISP own infrastructure)?
- logging / auditing function is missing (talking about security here)
- logging of event is missing (talking about operation here)

Hope this helps to improve this -00 version which is already quite complete

-éric









On 15/09/15 03:04, "OPSEC on behalf of Fernando Gont"
<opsec-bounces@ietf.org on behalf of fgont@si6networks.com> wrote:

>Folks,
>
>We have published an I-D entitled "On Firewalls in Internet Security".
>The I-D is available at:
><https://www.ietf.org/internet-drafts/draft-gont-opsawg-firewalls-analysis
>-00.txt>.
>
>Our I-D covers a broad range of topics (ranging from operations to
>internet and transport area topics) -- hence the crosspost of this
>announcement to multiple mailing-lists.
>
>While we (co-authors) are subscribed to most of the lists to which this
>announcement is being crossposted, we expect (for the sake of unifying
>the discussion in a single place) the discussion to happen in the
>opsawg@ietf.org mailing-list.
>
>Your feedback will be very welcome.
>
>Thanks!
>
>Best regards,
>Fernando
>
>
>
>
>-------- Forwarded Message --------
>Subject: New Version Notification for
>draft-gont-opsawg-firewalls-analysis-00.txt
>Date: Mon, 14 Sep 2015 17:49:41 -0700
>From: internet-drafts@ietf.org
>To: Paul E. Hoffman <paul.hoffman@vpnc.org>, Fernando Gont
><fgont@si6networks.com>, Fernando Gont <fgont@si6networks.com>, Fred
>Baker <fred@cisco.com>, Fred Baker <fred@cisco.com>, Paul Hoffman
><paul.hoffman@vpnc.org>
>
>
>A new version of I-D, draft-gont-opsawg-firewalls-analysis-00.txt
>has been successfully submitted by Fernando Gont and posted to the
>IETF repository.
>
>Name:		draft-gont-opsawg-firewalls-analysis
>Revision:	00
>Title:		On Firewalls in Internet Security
>Document date:	2015-09-15
>Group:		Individual Submission
>Pages:		17
>URL:
>https://www.ietf.org/internet-drafts/draft-gont-opsawg-firewalls-analysis-
>00.txt
>Status:
>https://datatracker.ietf.org/doc/draft-gont-opsawg-firewalls-analysis/
>Htmlized:
>https://tools.ietf.org/html/draft-gont-opsawg-firewalls-analysis-00
>
>
>Abstract:
>   This document analyzes the role of firewalls in Internet security,
>   and suggests a line of reasoning about their usage.  It analyzes
>   common kinds of firewalls and the claims made for them.
>
>
>
>
>
>Please note that it may take a couple of minutes from the time of
>submission
>until the htmlized version and diff are available at tools.ietf.org.
>
>The IETF Secretariat
>
>
>
>
>_______________________________________________
>OPSEC mailing list
>OPSEC@ietf.org
>https://www.ietf.org/mailman/listinfo/opsec