[120928] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Jared Mauch)
Wed Jan 6 08:37:49 2010
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <alpine.DEB.1.10.1001051609340.23901@castor.opentrend.net>
Date: Wed, 6 Jan 2010 08:36:59 -0500
To: Robert Brockway <robert@timetraveller.org>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 5, 2010, at 4:24 PM, Robert Brockway wrote:
> Do you have any evidence to support this assertion? You've just =
asserted that all firewalls have a specific vulnerability. It isn't =
even possible to know the complete set of architectures (hardware & =
software) used for firewalls so I don't see how you can assert they all =
have this vulnerability.
Just about every ddos i've ever been involved in mitigation results in =
some device labeled "firewall" blowing it's brains and crippling the =
company further than if they had utilized a more distributed model.
When combined with various other layers of mitigation that are either =
integrated or inline with another device we've spent lots of time =
troubleshooting which exact device was causing the most trouble.
I can't cite specific cases unless my customers say I can, but it's =
somewhat amusing to watch some C* of a company realize they've wasted =
money on a device/service that actually made the problem worse in the =
face of an attack.
There are those that might say the protection devices were not properly =
used, configured, etc... and if that's the case, it reflects the sad =
state of the lack of maturity of the industry/tech. (Or that it's =
obsolete).
- Jared=
