[120945] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Brian Keefer)
Wed Jan 6 16:13:23 2010
From: Brian Keefer <chort@smtps.net>
In-Reply-To: <29A54911243620478FF59F00EBB12F4701B27F3E@ex01.drtel.lan>
Date: Wed, 6 Jan 2010 13:12:24 -0800
To: Brian Johnson <bjohnson@drtel.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 6, 2010, at 11:29 AM, Brian Johnson wrote:
> If your point is given unlimited inbound bandwidth that a stateful
> firewall will fail (not work correctly), I can say that about any =
piece
> of equipment. And even if it does fail, does it matter if your
> connection is full of useless traffic?
>=20
It's a lot easier to fill up a state table than to fill up a pipe, which =
I believe was Roland's point.
It's quite possible to flood the state table on a device with a fraction =
of the pipe's capacity, in which case a stateful device will fall over =
where a stateless device would not have. This type of attack will =
definitely degrade the service it's aimed at, and probably degrade other =
services sharing the same pipe, but won't _necessarily_ kill them as is =
the case when a stateful gateway falls over.
Typical scenario is $badguys DDoS one of your webservers. If the =
gateway is stateless, your webservers grind to a crawl, but your DNS, =
e-mail, VOIP, etc probably still function to a degree. Contrast that =
with site-wide outage if your gateway was stateful and =
crashed/rebooted/refused to pass traffic due to having the state table =
filled.
You're not going to be able to stop $sophisticated_badguy from =
enumerating your services no matter how fancy your gear is. Could you =
detect a distributed portscan that looks at 5000 proto/IP/port combos =
per day, across your IP space, each probe coming from a different IP? I =
really doubt it. If you have services listening, someone is going to =
find them.
IMO you're better off making sure only the services you intend to =
provide are listening, and that those services are hardened =
appropriately for public exposure.
This topic has probably run it's course; everyone has different opinions =
and takes away different lessons from their experience. I think it's =
valuable to challenge the common assumptions (everyone knows you need a =
stateful firewall!) now and then to make sure they actually make sense.
--
bk
