Re: On firewall traversal vs. bypass

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/31/07 4:09 AM, "Aki Niemi" <aki.niemi@xxxxxxxxx> wrote:
> Continuing on something heard at the technical plenary last week. There
> were people complaining that while protocols like STUN/TURN and ICE are
> traversing NAT, they are in fact bypassing firewall policies, which they
> should not be doing.

I think it's more complicated than that.
1) there were complaints about the difficulties caused
   specifically by firewalls (apart from NATs)
2) Eric said that the IETF is producing firewall traversal
   protocols like ICE
3) I pointed out that ICE is a NAT traversal protocol, not
   a firewall traversal protocol, and that a key functional
   difference is that NATs don't really do policy (beyond
   address policy) while firewalls are specifically policy
   devices.

Where I think we differ is in what we think firewalls ought
to do.  While the default policy of a residential firewall
probably should be something along the lines of "keep
unsolicited traffic out," enterprise policies tend to be and
should be a lot richer.

STUN and ICE effectively work by side-effect, creating NAT
table mappings simply by passing data across the NAT.  In the
firewall case you really must allow the firewall the possibility
to say "no," and you should give the firewall the data it
needs to make an informed decision.  That data might include
application identification, user credentials - whatever
information is used as the basis for a policy decision.  It's
also nice if you're able to tell the application that its
request has been denied so that it can fail and/or recover
gracefully.  

I also think the assumption that any media flows across a
firewall ought to be allowed is questionable, but that's a
somewhat different matter.

Melinda

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]