Re: [OPSAWG] [v6ops] Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-01.txt

[Fernando Gont <fgont@si6networks.com>]

Hi, Rick,

On 10/18/2015 09:35 AM, Rick Casarez wrote:
> Just trying to help. Answers in line.

Indeed -- and that's really appreciated!



>     > In Section 2:
>     >
>     > Firewall - I am wondering if a better definition can be made. From
>     what
>     > you wrote I cannot distinguish between a Firewall and an ACL.
> 
>     An ACL is a policy. A firewall is a device that enforces filtering
>     policies.
> 
> [Rick] Your definition would encompass routers and switches who have
> ACL/Filters on interfaces/SVIs. I would not consider these firewalls.

Well, that's a firewalling functionality. From a strict point of view, a
router does not really drop offending packets, but just forwards them.



>     > No mention
>     > of state tracking for instance etc.
> 
>     Ok, will try to add somethin in this respect.
> 
> [Rick] Please do, as Ca mentions this is how the vast majority of the
> world define it as. This even includes common compliance audits like
> PCI/SOC etc.

Question: WOuld you include this as part of the fw definition, or rather
e.g. simply define "state-tracking"?



>     > Section 5.1:
>     >
>     > "The drawback of this approach is that the security goal of "block
>     > traffic unless it is explicitly allowed" prevents useful new
>     applications."
>     >
>     > I am not sure I understand this line. It blocks new applications from
>     > immediately traversing the firewall. I know from experience though
>     that
>     > when a discussion is had with the NetSec team the application can be
>     > added to the allow list. So not sure a "default deny" means new stuff
>     > never gets allowed as the text insinuates.
> 
>     Well, that depends on where the firewall is being deployed, and if it is
>     actively managed.
> 
> [Rick] I am unaware of any firewall deployed that is no longer managed.

I'm told that comcast does currently deploys this sort of boxes for
their IPv6 residential customers.

And I'd argue that anything that is deployed at the home mostly follows
into this category...



>     > Section 6:
>     >
>     > There are temporary IPv4 addresses too.
> 
>     Not by definition I'd say. Or... would you mind elaborating a bit more
>     in this respect?
> 
>  [Rick] My apologies on this one got some wires crossed. This is good to go.

Thanks for double-checking!



>     > As for application being tunneled over well-known ports that
>     sounds like
>     > a breakdown of communication between the Service Owners and NetSec.
>     > Simple communication *should* lead to the creation of a profile
>     for that
>     > new application and its individual port. By doing what you describe it
>     > sounds like a Service Owner trying to get out of doing due diligence
>     > with NetSec or not knowing what port their application needs for
>     access
>     > (More common than you might think).
> 
>     Yes. Or, at times, a user/app trying to circumvent unmanaged firewalls.
>     -- Ironically, at times these protocols are referred to as "firewall
>     friendly".
>  
>  [Rick] The scenario makes no sense other than a mismanaged company
> frankly. You are essentially encouraging something against BCP. Even
> beyond security you will make it difficult to troubleshoot if everything
> is using the same port to traverse the firewall.

We¿re not talking about companies, but about e.g. about firewalls
deployed at homes, and applications meant to be employed by such users.

Thanks!

Best regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492