[171215] in North American Network Operators' Group
RE: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (Eric Wieling)
Tue Apr 22 14:16:29 2014
From: Eric Wieling <EWieling@nyigc.com>
To: "Dobbins, Roland" <rdobbins@arbor.net>, "nanog@nanog.org" <nanog@nanog.org>
Date: Tue, 22 Apr 2014 14:16:18 -0400
In-Reply-To: <46E462F4-B382-4948-99BB-57B9700CC987@arbor.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
It seems to me you are saying we should get rid of firewalls and rely on ap=
plications network security.
This is so utterly idiotic I must be misunderstanding something. There a=
re a few things we can count on in life, death, taxes, and application deve=
lopers leaving giant security holes in their applications.
-----Original Message-----
From: Dobbins, Roland [mailto:rdobbins@arbor.net]=20
Sent: Saturday, April 19, 2014 12:10 AM
To: nanog@nanog.org
Subject: Re: Requirements for IPv6 Firewalls
You can 'call' it all you like - but people who actually want to keep their=
servers up and running don't put stateful firewalls in front of them, beca=
use it's very easy to knock them over due to state exhaustion. In fact, it=
's far easier to knock them over than to knock over properly-tuned naked ho=
sts.
Also, you might want to search the NANOG email archive on this topic. Ther=
e's lots of previous discussion, which boils down to the fact that serious =
organizations running serious applications/services don't put stateful fire=
walls (or 'IPS', or NATs, et. al.) in front of their servers.
The only way to secure hosts/applications/service against compromise is via=
those hosts/applications/services themselves. Inserting stateful middlebo=
xes doesn't actually accomplish anything to enhance confidentiality and int=
egrity, actually increases the attack surface due to middlebox exploits (re=
ad the numerous security notices for various commercial and open-source sta=
teful firewalls for compromise exploits), and has a negative impact on avai=
lability.
