[120942] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (David Hiers)
Wed Jan 6 12:44:22 2010
In-Reply-To: <B52930F1-FB36-47B0-94B1-AE698438FF5B@smtps.net>
Date: Wed, 6 Jan 2010 09:43:36 -0800
From: David Hiers <hiersd@gmail.com>
To: Brian Keefer <chort@smtps.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
As long as you raise the level of CAIN (Confidentiality,
Availability, Integrity, Non-Repudiation) that your mission requires
and funding permits, you can do it anywhere you like, with whatever
you like, and call it whatever you like.
David
On Wed, Jan 6, 2010 at 9:38 AM, Brian Keefer <chort@smtps.net> wrote:
>
> On Jan 6, 2010, at 6:51 AM, Brian Johnson wrote:
>
>> =A0Like Roland, I've been doing
>> this for over a decade as well, and I have seen some pretty strange
>> things, even a statefull firewall in front of servers with IPS actually
>> work.
>>
>
>
> What do you mean by "work"? =A0If you mean "all three pieces ran for year=
s without being seriously attacked", then that's really not the same thing =
as "continued to perform assigned duties effectively in the face of a deter=
mined DDoS".
>
> I'd venture to say the vast majority of network operators, including myse=
lf, have never faced a DoS worse than a miscreant kid with a cable modem. =
=A0The few customers I've talked to who have been DDoS'd have all said the =
firewall died first.
>
> It's pretty simple. =A0Of the devices on your network that have to keep s=
tate, a firewall has to maintain far more of them, since it's the aggregate=
of many down-stream hosts. =A0The resources to maintain state are finite. =
=A0At some point, those finite resources will be exceeded, and that will ha=
ppen to a device holding the aggregate before any other device succumbs to =
the same problem.
>
> If the firewall goes down, that DoS's everything behind it. =A0Is that re=
ally better than having only a portion of the down-stream hosts unavailable=
?
>
> IMO firewalls have been a crutch for far too long. =A0They're an excuse f=
or not having tight host-based security and (more importantly) good patch-m=
anagement. =A0There really isn't a network perimeter any more any way. =A0I=
f any of your hosts gets infected, they're going to attempt to infect their=
neighbors. =A0Worms have been doing this since they were invented and a ne=
twork firewall offers very little protection against it.
>
> Put another way: =A0Is it clear that spending money on fancy network fire=
walls and IPS is more effective at mitigating risk than investing the same =
money in patch-management and host-hardening? =A0I don't think so.
>
> I'd also like to add a +1 to the statement "firewalls break things in sub=
tle and hard-to-debug ways". =A0The longest support calls are always those =
trying to figure out how the customer's firewall is breaking things, and th=
en how to prove this to their $management so they'll approve disabling the =
offending "feature". =A0Speaking of which, there are about 700MB of PCAPs t=
hat I'm supposed to be looking at right now...
>
> --
> bk
>
>
>
>
>
