Re: DEFCON BOF Report

["Bernard Aboba" <bernard_aboba@hotmail.com>]

The tricky thing about controlling distributed firewalls is achieving 
reliable configuration. It's not clear to me that this is being taken into 
account in DEFCON (or NETCONF, for that matter).

There are several issues to look out for:

* Policy "lockup". This occurs when two sides of an IPsec security gateway 
end up with inconsistent policy. If the gateway is also the route by which 
the policy is distributed, then the network can be brought down and you need 
to use an out-of-band mechanism to reset the policies. This can also happen 
on hosts if the security policy is (mistakenly) set to drop traffic from the 
policy distribution mechanism. This is a real phenomena that has been 
observed in practice.

* Transacted changes. This occurs when a number of hosts need to change 
their policies in sync. For example, if IPsec SAs need to be upgraded from 
DES to 3DES. To avoid causing problems, the upgrades needs to occur in sync 
-- or else some SAs won't be able to come up once the changes are made.

In practice, to solve these issues may require concepts such as "last known 
good", "timed upgrades", and "switchover transactions". The former requires 
saving of a previous configuration, the middle requires time 
synchronization, and the latter requires a transaction monitor.

_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*.  
http://join.msn.com/?page=features/featuredemail