[171166] in North American Network Operators' Group
RE: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (Seamus Ryan)
Sun Apr 20 11:26:23 2014
From: Seamus Ryan <s.ryan@uber.com.au>
To: "'Dobbins, Roland'" <rdobbins@arbor.net>, "'nanog@nanog.org'"
<nanog@nanog.org>
Date: Sun, 20 Apr 2014 13:52:27 +0000
In-Reply-To: <0CFB0993-B486-451D-BF22-C7309E3406AC@arbor.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Every time I see a Firewall related thread on one of the *NOG lists I count=
how many replies Roland will make before posting his State of Danger prese=
ntation.
We got to 10 this time :-)
FYI not having a go here Roland, it's a very insightful, interesting and we=
ll put together preso that I have forwarded on many times! I totally agree =
with the better part of it.
However....
While ACL's on stateless devices in the right place (routers/switches etc) =
are certainly the way to protect against "a 3mb/sec of spoofed SYN-flooding=
taking down a supposedly 20gb/sec stateful firewall", the truth is that if=
I spend all day every day chopping wood, I would probably buy an electric =
saw. But if I only hammer two pieces of wood together a few times a year, i=
m not going to waste my money on a nail gun, I would probably just get a ha=
mmer.
Similarly if most of the time I just need to protect my relatively simple n=
etwork by implementing a few separate zones I will get a firewall, im not g=
oing to deploy expensive stateless devices that can push a billion pps ever=
ywhere and send flow stats to expensive DDoS mitigation hardware *cough* ar=
bor *cough* just so I can protect against an attack that many only happen a=
few times a year. If you're the type of enterprise that IS seeing those t=
ypes of attacks on a regular basis, unless they only started in the last fe=
w weeks the chances are you already know who the DDoS mitigation players ar=
e and how to implement them correctly (if not pre-sales aren't doing their =
job right!).
That's how I see it anyhow. The right tool for the right job... though in m=
ost cases you still need the whole toolbox.
Regards,
Seamus
Thoughts are entirely my own
-----Original Message-----
From: Dobbins, Roland [mailto:rdobbins@arbor.net]=20
Sent: Saturday, 19 April 2014 12:11 PM
To: nanog@nanog.org
Subject: Re: Requirements for IPv6 Firewalls
On Apr 19, 2014, at 9:04 AM, Jeff Kell <jeff-kell@utc.edu> wrote:
> It's how we provide access control.
Firewalls <> 'access control'.
Firewalls are one (generally, very poor and grossly misused) way of providi=
ng access control. They're often wedged in where stateless ACLs in hardwar=
e-based routers and/or layer-3 switches would do a much better job, such as=
in front of servers:
<https://app.box.com/s/a3oqqlgwe15j8svojvzl>
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
