[120941] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Brian Keefer)
Wed Jan 6 12:39:04 2010
From: Brian Keefer <chort@smtps.net>
In-Reply-To: <29A54911243620478FF59F00EBB12F4701B27F1E@ex01.drtel.lan>
Date: Wed, 6 Jan 2010 09:38:01 -0800
To: Brian Johnson <bjohnson@drtel.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 6, 2010, at 6:51 AM, Brian Johnson wrote:
> Like Roland, I've been doing
> this for over a decade as well, and I have seen some pretty strange
> things, even a statefull firewall in front of servers with IPS =
actually
> work.
>=20
What do you mean by "work"? If you mean "all three pieces ran for years =
without being seriously attacked", then that's really not the same thing =
as "continued to perform assigned duties effectively in the face of a =
determined DDoS".
I'd venture to say the vast majority of network operators, including =
myself, have never faced a DoS worse than a miscreant kid with a cable =
modem. The few customers I've talked to who have been DDoS'd have all =
said the firewall died first.
It's pretty simple. Of the devices on your network that have to keep =
state, a firewall has to maintain far more of them, since it's the =
aggregate of many down-stream hosts. The resources to maintain state =
are finite. At some point, those finite resources will be exceeded, and =
that will happen to a device holding the aggregate before any other =
device succumbs to the same problem.
If the firewall goes down, that DoS's everything behind it. Is that =
really better than having only a portion of the down-stream hosts =
unavailable?
IMO firewalls have been a crutch for far too long. They're an excuse =
for not having tight host-based security and (more importantly) good =
patch-management. There really isn't a network perimeter any more any =
way. If any of your hosts gets infected, they're going to attempt to =
infect their neighbors. Worms have been doing this since they were =
invented and a network firewall offers very little protection against =
it.
Put another way: Is it clear that spending money on fancy network =
firewalls and IPS is more effective at mitigating risk than investing =
the same money in patch-management and host-hardening? I don't think =
so.
I'd also like to add a +1 to the statement "firewalls break things in =
subtle and hard-to-debug ways". The longest support calls are always =
those trying to figure out how the customer's firewall is breaking =
things, and then how to prove this to their $management so they'll =
approve disabling the offending "feature". Speaking of which, there are =
about 700MB of PCAPs that I'm supposed to be looking at right now...
--
bk
