Firewall Profile: Introduction Paragraph

["Brule, Joseph M" <jmbrule@radium.ncsc.mil>]

QUESTION ONE:  
Do you prefer Version A, B, C or 'No Preference' for the introduction paragraph?   

QUESTION TWO:  
If you have a preference (or objection), and indication on the strength of your preference and reasoning behind your statement would be helpful.   
I know that the technical matters are more interesting, but would like to get the intro paragraph resolved.  

My "Vote";  
I have a moderate preference for 'B' for the following reasons: 
B is the most generic and focuses on what distinguishes stateless packet filtering from other firewalls.  
I have a concern with 'A'.  Is the reference internationally recognized as a 'seminal work on firewalls'?  It is possible that some of the other world's subject matter experts may consider someone else's work equally impactful?  I would feel a better going with a very generic definition or quoting an RFC or ISO document.  

BACKGROUND:  

VERSION A:  (The last sentence in version A was added per comments from two reviewers)

In their seminal work of firewalls, Bellovin and Cheswick define firewalls:
"a firewall is any device, software, or arrangement or equipment that limits network access. It can be a box that you buy or build, or a software layer in something else. Today, firewalls come "for free" inside many devices: routers, modems, wireless base stations, and IP switches, to name a few. Software firewalls are available for (or included with) all popular operating systems. They may be a client shim (a software layer) inside a PC running Windows, or a set of filtering rules implemented in a UNIX kernel."
They go on to define 3 types of firewall:
"There are three main categories: packet filtering, circuit gateways, and application gateways. Each of these is characterized by the protocol level it controls, from lowest to highest, but these categories get blurred, as you will see. For example, a packet filter runs at the IP level, but may peek inside for TCP information, which is at the circuit level. "
This profile is for the stateless packet filtering firewall functions. A "Stateless Packet Filter" bases its policy on static values such as source address, destination address, and/or port numbers.  Stateless packet filtering is not aware of patterns, connection state, data flows, applications, or payload information.  

VERSION B: 
A firewall is a policy enforcement mechanism that restricts or permits traffic based on some combination of attributes such as connection state, ports, protocols, patterns, flows etc.  A 'Stateless-Packet-Filter' bases its policy on static values such as source address, destination address, and/or port numbers.  A 'Stateless-Packet-Filter' is not 'aware' of patterns, connection state, data flows, applications or payload information.  The scope of this profile is limited to Stateless-Packet-Filtering firewalls.

BOTH VERSION A AND B WOULD END WITH:
This actuator profile specifies the set of actions, targets, specifiers, and options that integrates stateless-packet-filter functionality (herein referred to as 'firewall') with the Open Command and Control (OpenC2) command set.




-----Original Message-----
From: Brule, Joseph M 
Sent: Tuesday, April 3, 2018 8:58 AM
To: 'openc2-actuator@lists.oasis-open.org' <openc2-actuator@lists.oasis-open.org>
Subject: Firewall Profile: Introduction Paragraph

Actuator Profile Subcommittee, 

We inherited a draft from the OpenC2 forum, but the subcommittee wants to modify the introduction.  There were two proposed introductions and at this time there is no clear consensus or majority with respect to which.  Please let me know which of the two you prefer and/or provide comments or your own version:  

===
VERSION A: 
In their seminal work of firewalls, Bellovin and Cheswick define firewalls:
"a firewall is any device, software, or arrangement or equipment that limits network access. It can be a box that you buy or build, or a software layer in something else. Today, firewalls come "for free" inside many devices: routers, modems, wireless base stations, and IP switches, to name a few. Software firewalls are available for (or included with) all popular operating systems. They may be a client shim (a software layer) inside a PC running Windows, or a set of filtering rules implemented in a UNIX kernel."
They go on to define 3 types of firewall:
"There are three main categories: packet filtering, circuit gateways, and application gateways. Each of these is characterized by the protocol level it controls, from lowest to highest, but these categories get blurred, as you will see. For example, a packet filter runs at the IP level, but may peek inside for TCP information, which is at the circuit level. "
This profile is for the stateless packet filtering firewall functions.

===
VERSION B: 
A firewall is a policy enforcement mechanism that restricts or permits traffic based on some combination of attributes such as connection state, ports, protocols, patterns, flows etc.  A 'Stateless-Packet-Filter' bases its policy on static values such as source address, destination address, and/or port numbers.  A 'Stateless-Packet-Filter' is not 'aware' of patterns, connection state, data flows, applications or payload information.  The scope of this profile is limited to Stateless-Packet-Filtering firewalls. 
This actuator profile specifies the set of actions, targets, specifiers, and options that integrates stateless-packet-filter functionality (herein referred to as 'firewall') with the Open Command and Control (OpenC2) command set. Through this command set, cyber security orchestrators may gain visibility and provide control into the firewall functionality in a manner that is independent of the vendor or generator of the firewall.

===
ORIGINAL FROM FORUM DAYS: 
A firewall is a network security function that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.  Current firewalls are characterized as:
1. Stateful packet inspection (or "traditional") - allows or blocks traffic based on connection state, port and protocol 2. Unified threat management (UTM) - performs stateful packet inspection functions plus intrusion prevention, anti-virus, and potentially other services 3. Next-generation firewall (NGFW) - performs stateful packet inspection functions plus intrusion prevention, application awareness, external information feeds, and adaptability to future threats. [1], [2], [3] Firewalls are generally categorized as network-based or host-based and can take many forms, from dedicated appliances or as part of a multi-function security appliance, to software that runs on general-purpose physical hosts or virtual networks.  This actuator profile applies to stateful packet inspection functions.
===

Thank you 

Joe B