[171217] in North American Network Operators' Group
RE: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (Brian Johnson)
Tue Apr 22 14:55:37 2014
From: Brian Johnson <bjohnson@drtel.com>
To: Eric Wieling <EWieling@nyigc.com>, "Dobbins, Roland" <rdobbins@arbor.net>,
"nanog@nanog.org" <nanog@nanog.org>
Date: Tue, 22 Apr 2014 18:55:03 +0000
In-Reply-To: <616B4ECE1290D441AD56124FEBB03D0818EB7AE0B9@mailserver2007.nyigc.globe>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Eric,
If you read what he posted and really believe that is what he is saying, yo=
u need to re-think your career decision. It is obvious that he is not sayin=
g that.
I hate it when threads breakdown to this type of tripe and ridiculous resta=
tement of untruths.
- Brian
> -----Original Message-----
> From: Eric Wieling [mailto:EWieling@nyigc.com]
> Sent: Tuesday, April 22, 2014 1:16 PM
> To: Dobbins, Roland; nanog@nanog.org
> Subject: RE: Requirements for IPv6 Firewalls
>=20
> It seems to me you are saying we should get rid of firewalls and rely on
> applications network security.
>=20
> This is so utterly idiotic I must be misunderstanding something. There=
are a
> few things we can count on in life, death, taxes, and application develop=
ers
> leaving giant security holes in their applications.
>=20
> -----Original Message-----
> From: Dobbins, Roland [mailto:rdobbins@arbor.net]
> Sent: Saturday, April 19, 2014 12:10 AM
> To: nanog@nanog.org
> Subject: Re: Requirements for IPv6 Firewalls
>=20
> You can 'call' it all you like - but people who actually want to keep the=
ir
> servers up and running don't put stateful firewalls in front of them, bec=
ause
> it's very easy to knock them over due to state exhaustion. In fact, it's=
far
> easier to knock them over than to knock over properly-tuned naked hosts.
>=20
> Also, you might want to search the NANOG email archive on this topic.
> There's lots of previous discussion, which boils down to the fact that se=
rious
> organizations running serious applications/services don't put stateful
> firewalls (or 'IPS', or NATs, et. al.) in front of their servers.
>=20
> The only way to secure hosts/applications/service against compromise is v=
ia
> those hosts/applications/services themselves. Inserting stateful
> middleboxes doesn't actually accomplish anything to enhance confidentiali=
ty
> and integrity, actually increases the attack surface due to middlebox exp=
loits
> (read the numerous security notices for various commercial and open-sourc=
e
> stateful firewalls for compromise exploits), and has a negative impact on
> availability.
>=20
>=20
