[171224] in North American Network Operators' Group
Re: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (Doug Barton)
Tue Apr 22 18:28:47 2014
Date: Tue, 22 Apr 2014 15:28:08 -0700
From: Doug Barton <dougb@dougbarton.us>
To: George Herbert <george.herbert@gmail.com>
In-Reply-To: <CAK__KzuFtmTksh_PQt+1ZVVFS5MWAMigFtgsKyKb8q=E-rH8vA@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 04/22/2014 01:49 PM, George Herbert wrote:
> As long as the various stateful firewalls and IDS systems offer hostile
> action detection and blocking capabilities that raw webservers lack,
> there are certainly counterarguments to the "port filter only" approach
> being advocated here.
Right, but now you're talking about something other than just a firewall.
> Focusing only on DDOS prevention from one narrow range of attack vectors
> targeting the firewalls themselves is narrowminded. The security threat
> envelope is pretty wide. Vulnerabilities of similar nature exist on the
> webservers themselves, and on load balancer devices you will likely need
> anyways.
Again, sure, but removing a needless firewall from the equation is one
less thing to worry about.
> Any number of enterprises have chosen that if a DDOS or other advanced
> attack is going to be successful, to let that be successful in bringing
> down a firewall on the external shell of the security envelope rather
> than having penetrated to the servers level.
And if they are making that choice proactively who am I to argue? I
disagree, but their network, their rules.
What usually happens though is that enterprises believe that the
firewall will protect them, without understanding that it can actually
create a SPOF instead.
> Smart design can also handle transparently failing over should such a
> vendor-specific attack succeed. The idea that anyone doing real, big
> complex networks would or has to accept any SPOF is ludicrous. The
> question is, how important is avoiding SPOFs, and how committed you are.
> If the answer is "absolutely must, and we have enough budget to do so"
> then it's entirely doable.
Of course.
Doug
