[171225] in North American Network Operators' Group
Re: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (Lukasz Bromirski)
Tue Apr 22 18:51:45 2014
From: Lukasz Bromirski <lukasz@bromirski.net>
In-Reply-To: <CAK__KzuFtmTksh_PQt+1ZVVFS5MWAMigFtgsKyKb8q=E-rH8vA@mail.gmail.com>
Date: Wed, 23 Apr 2014 00:50:57 +0200
To: George Herbert <george.herbert@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 22 Apr 2014, at 22:49, George Herbert <george.herbert@gmail.com> =
wrote:
> Any number of enterprises have chosen that if a DDOS or other advanced
> attack is going to be successful, to let that be successful in =
bringing
> down a firewall on the external shell of the security envelope rather =
than
> having penetrated to the servers level.
And I don=E2=80=99t think there=E2=80=99s problem with that approach.
The problem starts, when those anonymous enterprises =E2=80=9Csilently" =
expect,
that:
a) firewall will somehow magically defend the network, scrub the
=E2=80=9Cbad=E2=80=9D traffic and let good traffic pass (=E2=80=9Cthat=E2=
=80=99s why we=E2=80=99ve paid for
state of the art firewall, right?!=E2=80=9D)
b) firewall will fail gracefully, taking down all services, and doing
real hole in the transport and not jabbing some packets there and
there, maybe malformed, maybe parts of different connections
crammed in wrong headers=E2=80=A6 until reboot; and the reboot may =
not
be also totally transparent, as links will go up, down, init, and so
on
c) insert your own horror-story here
=E2=80=A6and using those assumptions to advocate for stateful firewall
everywhere.
If you=E2=80=99re aware of that assumptions, and you=E2=80=99re aware of =
the
constraints we=E2=80=99re facing with actually developing working edge =
defence
for the network, you=E2=80=99ll be anyway advocating creation of a =
funnel -
with stateless first lines od defense, taking care of all the trash
that can come from the internet, and rate-limiting the traffic
that seems to be legitimate if above certain thresholds. And at that
point - stateful firewall may not be needed anymore, because service
itself can scale better.
Nowadays, enterprise networks are picking up best practices from SPs,
where scale does matter and networks are built to actually have that
characteristics. Anycast DNS is often found in enterprise networks,
as well as other anycasted services (usually in =E2=80=9Cshared IP=E2=80=9D=
model) -
mail, web, AAA and other services.
The same goes for actually protecting the internet edge. How often
your network is being DDoSed? Be it 300kpps or 5Mpps, how will your
stateful firewall at the edge of it deal with it?
And by the way, when we=E2=80=99re speaking about internet visible =
services -
how many stateful firewalls defend www.google.com? Or www.amazon.com?
Or OpenDNS servers? Or 8.8.8.8/8.8.4.4? I bet none. But would love
to hear from people maintaining them.
--=20
"There's no sense in being precise when | =C5=81ukasz =
Bromirski
you don't know what you're talking | jid:lbromirski@jabber.org
about." John von Neumann | http://lukasz.bromirski.net=
