[120875] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Tue Jan 5 16:35:23 2010
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Tue, 5 Jan 2010 21:33:00 +0000
In-Reply-To: <Pine.LNX.4.64.1001061005410.15546@skyhawk.blakjak.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 6, 2010, at 4:07 AM, Mark Foster wrote:
> I'm interested by this assertion; surely Stateful Inspection is meant to=
=20
> facilitate the blocking of out-of-sequence packets, ones which aren't par=
t=20
> of valid + recognised existing sessions - whilst of course allowing valid=
=20
> SYN session-starters, etc?
>=20
> So thus, there may still be some value in catching 'injected' packets=20
> which don't actually belong in a session... ?
Nope - the hosts handle this better on their own.
>=20
> Some might argue that DoS is preferred to the other degrees of risk that=
=20
> many webservers hold... (trying not to point the finger in any one=20
> specific direction.)
Except that the firewalls don't mitigate any of the other degrees of risk, =
either.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
