Re: ISMS working group and charter problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7-sep-2005, at 1:54, Steven M. Bellovin wrote:

I recognize that carrying all existing firewalls to the scrap heop
won't immediately solve our problems, but we do have to realize that
current filter practice do almost as much harm as they do good. We
really need better stuff here.

(It's amusing to see that to some people, security means encrypting
their communication, while to others it means inspecting that same
communication.)

I opt for each in its place.  I'm also an advocate for distributed
firewalls.  But I *really* don't want to refight the whole firewall
issue yet again; I've been through that too many times in the last
decade or so.

:-) Well I wouldn't mind having this fight if I thought it would do any good, but that doesn't seem likely. What _could_ do some good is come up with better stuff than just observe packets on the wire. The exact same packet can either be completely harmless or be part of a huge security breach, depending on what software sent it / will receive it. It would be great if a security device could block packets sent by Apache 2.8 while allowing the same packets if sent by Apache 2.81.

For right now, though, the issue is engineering.  Again, the vast
majority of hosts are behind firewalls.  Is the philosophical issue
that important that we should ignore it?  I don't think so.

Well, I had occasion to write a NAT and firewall considerations section for a draft not long ago, but the trouble is: what should go in there? As long as there are no guidelines on how to interact with firewalls such sections will generally reflect the private opinions of the authors, which may or may not be useful on a case-by-case basis.

(In this case, my main concern was that certain signalling traffic would be handled the same as certain other signalling traffic by firewalls, and it would be good if we could make both types of signalling be treated the same as the data traffic, but that didn't seem doable.)

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]