[177933] in North American Network Operators' Group
Re: Dynamic routing on firewalls.
daemon@ATHENA.MIT.EDU (Patrick Tracanelli)
Mon Feb 9 09:56:47 2015
X-Original-To: nanog@nanog.org
From: Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
In-Reply-To: <211781.1423491256@turing-police.cc.vt.edu>
Date: Mon, 9 Feb 2015 12:56:37 -0200
To: Valdis.Kletnieks@vt.edu
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On 09/02/2015, at 12:14, Valdis.Kletnieks@vt.edu wrote:
>=20
> On Mon, 09 Feb 2015 11:54:04 -0200, Patrick Tracanelli said:
>=20
>> On a bridged firewall you can have the behavior you want, whatever it =
is. Passing packets with firewall is down, but the box still up.
>=20
> Owen's point is that passing packets if the firewall is down is really =
poor
> security-wise. If you run in that configuration, I simply DoS your =
firewall
> (probably from one set of IP addresses), and then once it has fallen =
over and
> is being bypassed, I send my *real* malicious traffic from some other =
IP
> address, totally uninspected and unhindered. Much hilarity, hijinks, =
and
> pwnage ensues.
Hello Valdis,
If this is really the point, I don=E2=80=99t know what system you are =
talking about, that will behave like that. If I run a closed firewall, =
kernel-path, and it=E2=80=99s unable process, and therefore =E2=80=9Callow=
=E2=80=9D the traffic, it will drop. If I run it netmap-ipfw and it=E2=80=99=
s unable to move the packet from one port to the other, it will drop. So =
there=E2=80=99s no point where a bridge implicits traffic bypass upon =
starvation/exaustion, unless this is your option to do so, or a default =
system behavior, in this case a system that should not act for this =
purpose.
If I remember well (and I remember some effusive expressions like =E2=80=9C=
L2 functions easily enabled at scale on a Junos Trio system=E2=80=9D), =
on a Juniper box bridging is processed on Trio chip - even without IRB =
set up, as well as firewall (limited matching conditions in a bridged =
domain). If you can exhaust TRIO from your DoS approach (and the idea is =
that you can=E2=80=99t exhaust it without exhausting line rate first), =
you will have no bridging anyway, since L2 learning and forwarding will =
also be resource starved.
But this is just all theoretical, as I mentioned you will probably reach =
line rate limit first if the box is not configured wrong or wrongly =
planned.
--
Patrick Tracanelli
