[120859] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Tue Jan 5 15:29:41 2010
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Tue, 5 Jan 2010 20:29:01 +0000
In-Reply-To: <29A54911243620478FF59F00EBB12F4701B27EDF@ex01.drtel.lan>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 6, 2010, at 3:16 AM, Brian Johnson wrote:
> Given this information, and not prejudging any responses, exactly what i=
s a
> firewall for and when is statefull inspection useful?
In the most basic terms, a stateful firewall performs bidirectional classif=
ication of communications between nodes, and makes a pass/fail determinatio=
n on each packet based on a) whether or not a bidirectional communications =
session is already open between the nodes and b) any policy rules configure=
d on the firewall as to what ports/protocols should be allowed between said=
nodes.
Stateful firewalls make good sense in front of machines which are primarily=
clients; the stateful inspection part keeps unsolicited packets away from =
the clients.
Stateful firewalls make absolutely no sense in front of servers, given that=
by definition, every packet coming into the server is unsolicited (some pr=
otocols like ftp work a bit differently in that there're multiple bidirecti=
onal/omnidirectional communications sessions, but the key is that the initi=
al connection is always unsolicited).
Putting firewalls in front of servers is a Really Bad Idea - besides the fa=
ct that the stateful inspection premise doesn't apply (see above), renderin=
g the stateful firewall superfluous, even the biggest, baddest firewalls ou=
t there can be easily taken down via state-table exhaustion; an attacker ca=
n craft enough programmatically-generated, well-formed traffic which confor=
ms to the firewall policies to 'crowd out' legitimate traffic, thus DoSing =
the server. Addtionally, the firewall can be made to collapse far quicker =
than the server itself would collapse, as the overhead on the state-trackin=
g is less than what the server itself could handle on its own.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
