Presentation is loading. Please wait.

Presentation is loading. Please wait.

draft-baker-opsawg-firewalls

Published byJonas Norton Modified over 5 years ago

Similar presentations

Presentation on theme: "draft-baker-opsawg-firewalls"— Presentation transcript:

1 draft-baker-opsawg-firewalls
Fred Baker

2 Purpose of this draft We have had discussions in v6ops and (now) in Homenet regarding firewalls RFC 6092 “Simple Security” draft-vyncke-advanced-ipv6-security I personally don’t think they have been very productive, and think the community needs to have a less emotional discussion on the topic Firewalls are a market requirement, but for bad reasons There are strong feelings about firewalls pro and con, and the discussions tend to not be helpful.

3 Draft discussion Introduction Common kinds of firewalls
Perimeter security: Protection from aliens and intruders Pervasive access control Intrusion Management: Contract and Reputation filters Reasoning about Firewalls The End-to-End Principle Building a communication The middle way Recommendations

4 Perimeter security: Protection from aliens and intruders
In Cisco equipment, we call this a “context-based” or “zone-based” defense. There is a “protected region” and “everywhere else” Sessions may originate from the “protected” region No sessions, or only certain sessions, may originate from “outside” Primary comment: “I want my NAT for security” presumes this model It’s actually a weak defense model, and disrupts certain service models PCP and UPnP are protocol models for allowing sessions into the domain for services

5 Pervasive access control
So-called “role-based” access control Systems organized into groups for security management Policy applied in network that Permits communication within a group Permits communication between stated pairs of groups Excludes or limits all else One group is “everyone else” More flexible, but still has impact on service deployment Requires an IT department to manage

6 Intrusion Management: Contract and Reputation filters
Generally implemented as Access control lists, Anomaly-based intrusion management, Signature-based intrusion management, or Reputation-based systems Basic policy: allow communication barring a specific reason not to Weakness: That’s not how we raise our children People often fail to maintain such software on hosts…

7 Reasoning about firewalls, part 1
I conclude that a firewall protects two things Protection against some forms of infrastructure attacks Second layer of defense for attacks on hosts Hosts still must be their own primary defense There may be better approaches to infrastructure defense Passive IP Addresses, for example

8 Reasoning about firewalls, part 2
Poorly-implemented firewalls make it difficult to deploy new technologies or services Explicit Congestion Notification SCTP

9 Recommendations: ZBAC
IF someone implements zone-based access control It SHOULD be possible for a host to assert that it is willing to field incoming traffic for a class of application Firewall SHOULD exclude traffic that nobody explicitly wants

10 Recommendations: RBAC
Observation: this requires active policy management anyway It’s better to implement using the control plane (routing) than the data plane (filtering) Make the policy systemic if possible – if Alice should not talk with Bob, Alice should not have a route to Bob.

11 Recommendations: Active policy algorithms
Reputation, Anomaly, and Signature models require regular and frequent updates Do so (duh) May not fit residential market

12 General observations Middleware should not prevent innovation
Prevent what is known to be bad Don’t prevent the unknown; it might be good Making assumptions about address spaces is also less than useful In IPv4, we have a lot of experience with the evils of NAT In IPv6, there can also be issues in coupling between address domains. So don’t make assumptions you can’t immediately justify

13 Way forward this draft What I have said in this draft…
Seems patently obvious to me. Seems controversial to others; we spend a lot of time, and waste energy, debating it. Is it useful to say? Would folks like to debate?

Download ppt "draft-baker-opsawg-firewalls"

Similar presentations

Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Personal Info 1 Prepared by: Mr. NHEAN Sophan  Presenter: Mr. NHEAN Sophan  Position: Desktop Support  Company: Khalibre Co,. Ltd 

Personal Info 1 Prepared by: Mr. NHEAN Sophan  Presenter: Mr. NHEAN Sophan  Position: Desktop Support  Company: Khalibre Co,. Ltd 
SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.

SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Department Of Computer Engineering

Department Of Computer Engineering
Firewalls and the Campus Grid: an Overview Bruce Beckles University of Cambridge Computing Service.

Firewalls and the Campus Grid: an Overview Bruce Beckles University of Cambridge Computing Service.
Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.

Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.
Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp.

Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.

Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
Agenda Review route summarization Cisco acquire Sourcefire Review Final Exam.

Agenda Review route summarization Cisco acquire Sourcefire Review Final Exam.
P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.

P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.
Advanced IPv6 Residential Security draft-vyncke-advanced-ipv6- security-03 Eric Vyncke Mark Townsley

Advanced IPv6 Residential Security draft-vyncke-advanced-ipv6- security-03 Eric Vyncke Mark Townsley
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

Similar presentations

Ads by Google