[121122] in North American Network Operators' Group
RE: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (George Bonser)
Mon Jan 11 00:57:11 2010
Date: Sun, 10 Jan 2010 21:56:14 -0800
In-Reply-To: <91389021-8B52-49BA-880E-577570287716@smtps.net>
From: "George Bonser" <gbonser@seven.com>
To: "Brian Keefer" <chort@smtps.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> > And I don't believe anyone is necessarily advocating exposing
> individual
> > servers directly to the internet either.
>=20
> Actually, some of us are.
That can be difficult to do when you have maybe 300 or 400 servers that
handle one service. Let's say you have a site called www.foobar.com and
you have several hundred servers on the front end that handle that
domain. You aren't going to put several hundred A records in DNS; at
least I hope you aren't. One would probably have a load balancer of
some sort in front of those machines. That is the device that would be
fielding any DoS.
> > There are other devices that
> > can handle isolation of the servers and protect them against such
> things
> > as syn floods.
>=20
> What is the point of that when the servers can do it themselves?
I have a feeling you are talking about relatively small amounts of
traffic. =20
