[120798] in North American Network Operators' Group
Re: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Mon Jan 4 21:26:34 2010
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Tue, 5 Jan 2010 02:24:00 +0000
In-Reply-To: <2c52b84e1001041817s9114fer69ee3a56be8f06d6@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 5, 2010, at 9:17 AM, Tim Eberhard wrote:
> I would argue that firewalls place is in fact directly infront of server=
s and load balancers to protect them.
The very idea of placing a stateful firewall in front of a Web/DNS/email/et=
c. server, in which *every single incoming packet is unsolicited, and there=
fore, leaves no state to be inspected in the first place*, is absurd.
There is simply no valid argument for doing so. Hardening the OS/apps/serv=
ices, combined with stateless ACLs in hardware which can handle mpps, is th=
e way to enforce policy.
In fact, the idea is such a poor one that one of the major firewall vendors=
came out with a 'stateful inspection bypass' feature - the idea being that=
, you buy their 10gb/sec, $100K-plus stateful firewall, stick it in front o=
f servers, and then . . . disable the stateful inspection, heh.
;>
None of the large, well-known Web properties on the Internet today - at lea=
st, the ones which stay up and running, heh - have stateful firewalls in fr=
ont of them. Including prominent vendors of said stateful firewall solutio=
ns.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
