Re: On firewall traversal vs. bypass

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



ext Melinda Shore wrote:
> On 7/31/07 4:09 AM, "Aki Niemi" <aki.niemi@xxxxxxxxx> wrote:
>> Continuing on something heard at the technical plenary last week. There
>> were people complaining that while protocols like STUN/TURN and ICE are
>> traversing NAT, they are in fact bypassing firewall policies, which they
>> should not be doing.
> 
> I think it's more complicated than that.
> 1) there were complaints about the difficulties caused
>    specifically by firewalls (apart from NATs)
> 2) Eric said that the IETF is producing firewall traversal
>    protocols like ICE
> 3) I pointed out that ICE is a NAT traversal protocol, not
>    a firewall traversal protocol, and that a key functional
>    difference is that NATs don't really do policy (beyond
>    address policy) while firewalls are specifically policy
>    devices.
> 
> Where I think we differ is in what we think firewalls ought
> to do.  While the default policy of a residential firewall
> probably should be something along the lines of "keep
> unsolicited traffic out," enterprise policies tend to be and
> should be a lot richer.

True, therefore it's not a good idea to group all firewalls together.
You draw a distinction between a NAT and a firewall; I would take this
further and draw a distinction between a NAT, a stateful firewall (a
close relative to NAT) and a stateless firewall (e.g., an enterprise
firewall).

> STUN and ICE effectively work by side-effect, creating NAT
> table mappings simply by passing data across the NAT.  In the
> firewall case you really must allow the firewall the possibility
> to say "no," and you should give the firewall the data it
> needs to make an informed decision.  That data might include
> application identification, user credentials - whatever
> information is used as the basis for a policy decision.  It's
> also nice if you're able to tell the application that its
> request has been denied so that it can fail and/or recover
> gracefully.  

While I agree that interacting with an enterprise firewall is probably
best done with an explicit control interface -- one where credentials
can be issued and authorization policies enforced -- I don't think it
necessarily means all firewalls are best handled this way. In fact, ICE
by default won't help you with the enterprise firewall, but it's exactly
the tool to use for the stateful firewall on a home router box.

Then again, if the enterprise so chooses, it could indeed deploy TURN as
this explicit control interface, rather than the SBC-type box typically
used today. ICE could accommodate this as well.

> I also think the assumption that any media flows across a
> firewall ought to be allowed is questionable, but that's a
> somewhat different matter.

Again, depends on the firewall. In an enterprise this might not be a
reasonable assumption, but on the typical home router box, I very much
doubt whether it makes any difference if the flow carries VoIP or
internet radio streaming or a webcam feed. Why do you think it does?

Cheers,
Aki

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]