[121123] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Mon Jan 11 01:16:19 2010
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Mon, 11 Jan 2010 06:15:35 +0000
In-Reply-To: <5A6D953473350C4B9995546AFE9939EE081F71E6@RWC-EX1.corp.seven.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 11, 2010, at 12:56 PM, George Bonser wrote:
> One would probably have a load balancer of some sort in front of those m=
achines. That is the device that would be fielding any DoS.
Yes, and as you've noted previously, it should be protected via stateless A=
CLs in hardware capable of handling mpps, S/RTBH, flow-spec, IDMS, whatever=
. And of course the load-balancer should also be fronted by a reverse-prox=
y cache farm, if the servers in question are Web servers.
> I have a feeling you are talking about relatively small amounts of traffi=
c. =20
I believe that these comments were more along the lines of 'servers can bet=
ter handle this that stateful firewalls', not ruling out the use of load-ba=
lancers, reverse-proxy caches, etc. as appropriate.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
