[120862] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Brielle Bruns)
Tue Jan 5 15:59:37 2010
Date: Tue, 05 Jan 2010 13:58:52 -0700
From: Brielle Bruns <bruns@2mbit.com>
To: NANOG list <nanog@nanog.org>
In-Reply-To: <828F4485-EB8C-4D52-A2F9-89A0C06235B6@arbor.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 1/5/10 1:29 PM, Dobbins, Roland wrote:
> Putting firewalls in front of servers is a Really Bad Idea - besides
> the fact that the stateful inspection premise doesn't apply (see
> above), rendering the stateful firewall superfluous, even the
> biggest, baddest firewalls out there can be easily taken down via
> state-table exhaustion; an attacker can craft enough
> programmatically-generated, well-formed traffic which conforms to the
> firewall policies to 'crowd out' legitimate traffic, thus DoSing the
> server. Addtionally, the firewall can be made to collapse far
> quicker than the server itself would collapse, as the overhead on the
> state-tracking is less than what the server itself could handle on
> its own.
The trick is to not track ports/IPs that do not need it. On my combo
firewalls (that handle both NATing and serving websites, dns, etc) for
example, I'll do a NOTRACK on the LAN side to prevent connections to the
firewall itself from taking up valuable table space.
It's all how you configure and tweak the firewall. Recommending people
run servers without a firewall is bad advice - do you really want your
Win2k3 server exposed, SMB, RPC, and all to the world?
--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org / http://www.ahbl.org
