[120834] in North American Network Operators' Group
Re: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Tue Jan 5 02:53:22 2010
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Tue, 5 Jan 2010 07:47:46 +0000
In-Reply-To: <5a318d411001042338i354b99d5w3a6e0d38a38adc75@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 5, 2010, at 2:38 PM, Darren Bolding wrote:
> * Defense in depth. You've never had a host that received external traff=
ic ever accidentally have iptables or windows firewall turned off? Even wh=
en debugging a production outage or on accident?
Again, policy should be enforced via stateless ACLs in router/switch hardwa=
re capable of handling mpps. 'Stateful inspection' where in fact there is =
no useful state to inspect is pointless.
> * Location for IDS/IDP.
Non-sequitur, as these things have nothing to do with one another (plus, th=
ese devices are useless, anyways, heh).
> * Connection cleanup, re-assembling fragments, etc.
Far, far, far better and more scalably handled by the hosts themselves and/=
or load-balancers.
> * SYN flood protection, etc.
Firewalls simply don't handle this well, marketing claims aside. They cras=
h and burn.
> * Single choke point to block incoming traffic deemed undesirable.
Again, policy should be enforced via stateless ACLs in router/switch hardwa=
re capable of handling mpps.
> * Single log point for inbound connections for analysis and auditing requ=
irements.
Contextless, arbitrary syslog from firewalls and other such devices is larg=
ely useless for this purpose. NetFlow combined with server/app/service log=
s is the answer to this requirement.
> * Allows outbound traffic enforcement.
Again, policy should be enforced via stateless ACLs in router/switch hardwa=
re capable of handling mpps.
> * Allows conditional inbound traffic from specific approved external host=
s- e.g. a partner.
Again, policy should be enforced via stateless ACLs in router/switch hardwa=
re capable of handling mpps.
> * Some firewalls allow programmatic modification of configurations with a=
ll the benefits/pain that brings. This is alongside traditional CLI and GU=
I interfaces.
Ugly, brittle, siloed, to be avoided at all costs.
> * In some/many cases a zone based firewall configuration can be much easi=
er to work with than a large iptables config. Certainly the management too=
ls are better.
Again, policy should be enforced via stateless ACLs in router/switch hardwa=
re capable of handling mpps.
> * Yeah, auditors like it.
Education is the answer here.
;>
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
