[171165] in North American Network Operators' Group
Re: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Sun Apr 20 10:05:07 2014
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Sun, 20 Apr 2014 14:04:28 +0000
In-Reply-To: <3F1DEC33DC0C274C99B16F166A25DF75CDB0B941@aucbr1ex1.ahq.net.au>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 20, 2014, at 8:52 PM, Seamus Ryan <s.ryan@uber.com.au> wrote:
> Similarly if most of the time I just need to protect my relatively simple=
network by implementing a few separate zones I will get a firewall, im not=
going to deploy expensive stateless devices that can push a billion pps ev=
erywhere and send flow stats to expensive DDoS mitigation hardware *cough* =
arbor *cough* just so I can protect against an attack that many only happen=
a few times a year.
I'm talking about stateless ACLs on hardware-based routers and switches for=
enforcing network access policies - nothing to do with Arbor. Arbor doesn=
't make routers or switches.
Stateful firewalls make servers far more vulnerable to DDoS (and to comprom=
ise, for that matter; they broaden the attack surface amazingly) than they =
would be without deploying stateful firewalls. Vendors of commercial DDoS =
mitigation solutions [full disclosure: I work for a vendor of such solutio=
ns] who wish to drum up business should be *encouraging* organizations to d=
eploy stateful firewalls, not discouraging them from doing so. =20
Anyone who knows me knows that I do *not* violate NANOG rules (or the rules=
of any other community list) by pushing commercial solutions. What I advo=
cate is for folks to avoid spending extra money and time and effort in orde=
r to negatively impact their security posture, and instead utilize their ex=
isting investments in network infrastructure devices to enforce network acc=
ess policies via stateless ACLs, as well as to deploy reaction/mitigation t=
ools such as S/RTBH and flowspec.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
