Re: [openc2-actuator] Re: Firewall Profile: Set action

[Dave Lemire <dave.lemire@g2-inc.com>]

Nirmal,

A question or two, for clarity's sake:

* set source ip - the ip of the source or the starting point may change in a regular basis

Would this be the source of traffic we want to DENY or ALLOW? Those commands would seem more appropriate than SET, unless I'm misunderstanding the intent.

 

* set host properties - in case of Palo Alto and other firewalls, they use host properties (such as from global protect or CounterACT) 

* set tags - again Palo Alto, or VMWare NSX, Illumio and others use dynamic tags for firewall rule for policy or segmentation 

Both of those sound like something for a more sophisticated actuator than a stateless packet filter.

Dave

David P. Lemire, CISSP
  OpenC2 Technical Committee Executive Secretary
  OpenC2 Implementation Considerations SC Co-chair
  Contractor support to NSA
Email: dave.lemire@g2-inc.com
Office: 301-575-5190 / Mobile: 240-938-9350

 

Hope this justifies as a reason to keep “set” operation / action in the firewall profile

Thanks,

Nirmal R.

On Apr 23, 2018, at 6:11 PM, Everett, Alex D <alex.everett@unc.edu> wrote:

I would lean towards removing set unless we can think of a useful case. Juniper used set, for example to set some part of the config (not necessarily just rules). Is there some config option that we just have to set that I havent thought of?

So, I thought of one example, this is setting a blacklist in palo alto firewalls:

https://live.paloaltonetworks.com/t5/Featured-Articles/PAN-OS-8-0-IP-Block-List-Feeds/ta-p/129616

PAN-OS 8.0: IP Block List Feeds | Palo Alto Networks

live.paloaltonetworks.com

IP Block List Feeds, available in PAN-OS 8.0, provide admins with an enhancement to the External Dynamic Lists (formerly Dynamic Block List) feature to further reduce the attack surface.

But this seems a little advanced for a stateless packet filter.

-Alex

---

From: openc2-actuator@lists.oasis-open.org <openc2-actuator@lists.oasis-open.org> on behalf of Brule, Joseph M <jmbrule@radium.ncsc.mil>
Sent: Tuesday, April 17, 2018 4:28:18 PM
To: 'openc2-actuator@lists.oasis-open.org'
Subject: [openc2-actuator] Firewall Profile: Set action

 

All,

 

QUESTION ONE: 

I would like to remove the set action from this profile.  Do you think the ‘set’ action needs to be included in the 'stateless-packet-filtering' (aka firewall) profile?

 

QUESTION TWO: 

If you believe that the set action is applicable to the firewall profile, please identify if it should be required, optional and suggested target type(s)

 

BACKGROUND:

The following is NOT consensus attained from the actuator profile subcommittee nor any subset of the subcommittee.  The following is my personal opinion only and request confirmation or rebuttal.

 

In the context of the stateless-packet-filtering:

I do not see the utility of including ‘set’ in this profile.  Stateless packet filtering is about as simple as you get.  You would want to ‘set’ the firewall rules, but that is more appropriately is covered by the ‘deny’ and ‘allow’. 

 

Should we leave the ‘set’ action out for now?  It can always be added later should we learn from our early implementers that it is in fact needed.   

 

Please advise

 

VR

 

Joe B

 

WARNING - CONFIDENTIAL INFORMATION:

---

The information contained in the e-mail may contain confidential and privileged information and is intended solely for the use of the intended recipient(s). Access for any review, re-transmission, dissemination or other use of, or taking of any action in regard and reliance upon this e-mail by persons or entities other than the intended recipient(s) is unauthorized and prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachments.