Firewall Wizards mailing list archives
Re: Botnets, IRC servers and firewalls?
From: Paul Robertson <proberts () patriot net>
Date: Tue, 3 Feb 2004 18:49:26 -0500 (EST)
On Tue, 3 Feb 2004, Abe Singer wrote:
[ And Abe arises from the mire where he has been silently lurking to say: ]
[Darned mired lurkers with too many cool toys at work...]
Where are the numbers that show the impact of egress filtering on a router? I have heard this same argument many times. Several networking people have directly told me this, and said that there are number to back it up, but have repeatedly failed to provide those numbers. I'm starting to wonder if this isn't just an urban legend.
It is- especially if you do permits for the "approved" and volumnous traffic first in the list. We got the same arguments for ingress filtering, but it seems most folks are over that hurdle now (you should have seen when we made it a requirement for our risk management customers initially!) The legend must die- IOS is much better than it ever was, and as Daniel Hartmeir pointed out here last year sometime, stateful firewalls are blazingly fast doing state lookups- there's no good reason that some portion of the routing/firewalling infrastructure shouldn't be handling egress traffic policy. Personally, I always preferred to have application gateways who were the only boxes *allowed* to speak outside the network- made my filtering rules so much easier. If you're not talking HTTP to the HTTP proxy, or your proprietary gateway isn't talking SMTP to the SMTP proxy, it's not going out unless it's my internal nameserver talking to my external nameserver...
If anyone has them, I'd love to see them. Forgive me if this has been discussed on fw-wiz in the past, and if so just point me at the articles and I'll read 'em myself. [ And Abe sinks back down into the mire to ponder more trivial things ]
Router and firewall performance stats are a blackhole- it's easy to skew the numbers. IOS has come a long way in fast switching in the last few years though- and I think that was lost on a lot of people. If you start with permits for traffic to the default Web port and SSL port, and your internal nameservers, you're 90% of the way there, and the router's going to do just fine. Spread the load back to earlier routers, or between the router and the firewall, and you'll do even better... </soapbox> Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Botnets, IRC servers and firewalls?, (continued)
- Re: Botnets, IRC servers and firewalls? Paul Robertson (Feb 04)
- Re: Botnets, IRC servers and firewalls? Marcus J. Ranum (Feb 04)
- Re: Botnets, IRC servers and firewalls? Paul Robertson (Feb 04)
- Re: Botnets, IRC servers and firewalls? Joseph S D Yao (Feb 05)
- Re: Botnets, IRC servers and firewalls? Chris Blask (Feb 04)
- Re: Botnets, IRC servers and firewalls? Jeremiah Cornelius (Feb 04)
- Re: Botnets, IRC servers and firewalls? Chris Blask (Feb 04)
- Message not available
- Re: Botnets, IRC servers and firewalls? Marcus J. Ranum (Feb 04)
- Re: Botnets, IRC servers and firewalls? Mark Tinberg (Feb 05)
- Re: Botnets, IRC servers and firewalls? Paul Robertson (Feb 03)
- Re: Botnets, IRC servers and firewalls? Abe Singer (Feb 03)
- Re: Botnets, IRC servers and firewalls? Jeremiah Cornelius (Feb 03)
- Re: Botnets, IRC servers and firewalls? Abe Singer (Feb 03)
- Re: Botnets, IRC servers and firewalls? Marcus J. Ranum (Feb 04)
- Re: Botnets, IRC servers and firewalls? Patrick M. Hausen (Feb 04)
- Re: Botnets, IRC servers and firewalls? Marcus J. Ranum (Feb 04)
- Re: Botnets, IRC servers and firewalls? Chris Blask (Feb 04)
- Re: Botnets, IRC servers and firewalls? Patrick M. Hausen (Feb 05)