Distributed/End-Point Firewall Control (DEFCon) Requirements
draft-sahita-defcon-reqs-00

Abstract

This document describes the requirements for the architecture and a distributed framework for end-point firewall control (DEFCon). This draft also discusses requirements for the individual pieces in the framework. Perimeter firewalls are predominant in enterprise networks but do not provide the protection a mission critical network needs against misuse or abuse from nodes inside the network. Additionally, A wireless infrastructure makes every host vulnerable since in that case access is not fundamentally restricted by infrastructure. Likewise, traffic is increasingly being encrypted end-to-end using SSL, IPSec, etc. where viruses/worms/confidential information can also be hidden from the security components. This requires the perimeter firewall to become a man-in-the-middle for all secure sessions, which breaks the end-to-end principle and thus renders many protocols useless since they are inevitably blocked. A host-based firewall on nodes in the enterprise network protects the network from inside out. This approach does not preclude perimeter firewalls. Instead, it provides defense-in-depth and reduces the load on perimeter firewalls. The host-based approach also upholds the end-to-end theme since it allows traffic to be securely encrypted end-to-end and yet assures safety from infection, compromise and attack.

Authors

Ravi Sahita
Priya Govindarajan

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)