Firewall considerations (Re: ISMS working group and charter problems)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





--On 7. september 2005 00:30 +0200 Iljitsch van Beijnum <iljitsch@xxxxxxxxx> wrote:

What would be in such a section? There are only three possibilities:

1. There is no firewall: no need for text.
2. There is a firewall, and it doesn't try to block the protocol: no
need for text.
3. There is a firewall, and it tries to block the protocol.

actually I would put it differently....

1. There is no firewall: no need for text
2. The firewall manager desires to let the connection go through
  (while not making any other changes in policy)
  2a. The firewall allows the manager to express this desire in policy
  2b. The firewall does not allow the manager to express this desire
3. The firewall manager desires to block this type of connection
  (while not making any other changes in policy)
  3a. The firewall allows the manager to express this desire in policy
  3b. The firewall does not allow the manager to express this desire

2a is the common case (I think) if the firewall has NAT as part of the "defense" mechanism; you can't get from the "outside" to the "inside" even if you want to (unless you do <ugly stuff>, of course)

3b is the common case for protocols tunneled over HTTP with simple-minded firewalls; that's why "deep packet inspection" products sell so well....

A "firewall considerations" section (ObRant: Mandatory Sections Are Bad) would discuss how to turn 2a and 3b into 2b and 3a.... for instance, such a section on RTP/SIP might discuss what you need to snoop on in order to open the proper "media holes" in your firewall, and why signing your SIP requests is better than encrypting them in this scenario <architectural choking sounds deleted>.......

                    Harald

Attachment: pgpAaqEFMTvlY.pgp
Description: PGP signature

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]