[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DEFCON BOF Report
The tricky thing about controlling distributed firewalls is achieving
reliable configuration. It's not clear to me that this is being taken into
account in DEFCON (or NETCONF, for that matter).
There are several issues to look out for:
* Policy "lockup". This occurs when two sides of an IPsec security gateway
end up with inconsistent policy. If the gateway is also the route by which
the policy is distributed, then the network can be brought down and you need
to use an out-of-band mechanism to reset the policies. This can also happen
on hosts if the security policy is (mistakenly) set to drop traffic from the
policy distribution mechanism. This is a real phenomena that has been
observed in practice.
* Transacted changes. This occurs when a number of hosts need to change
their policies in sync. For example, if IPsec SAs need to be upgraded from
DES to 3DES. To avoid causing problems, the upgrades needs to occur in sync
-- or else some SAs won't be able to come up once the changes are made.
In practice, to solve these issues may require concepts such as "last known
good", "timed upgrades", and "switchover transactions". The former requires
saving of a previous configuration, the middle requires time
synchronization, and the latter requires a transaction monitor.
_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail