Full Disclosure mailing list archives
Re: Sony: No firewall and no patches
From: phocean <0x90 () phocean net>
Date: Wed, 11 May 2011 19:09:00 +0200
Le mercredi 11 mai 2011 à 16:49 +0000, Dobbins, Roland a écrit :
On May 11, 2011, at 10:03 PM, phocean wrote:- DDoS : anyway, a firewall isn't more susceptible to DoS than the server it protects. If you look at the hardware performance of modern firewalls, if an attacker has the ability to DoS it, then only a considerable server farm that very few companies can afford will be able to sustain it.My operational experience, including that acquired during my tenure working for the world's largest manufacturer of firewalls by units shipped, contradicts this statement.
Can you develop? I still don't see how the hell the typical web server will handle as much traffic as one of these Checkpoint, Cisco or whatever monsters.
- stateless scales badly on large networks, because it requires much more complex and lengthy rules if you are serious with security.This is a) untrue and b) a near non-sequitur. In general state is much more harmful on larger networks than on smaller ones; and there's no correlation at all between the size of a network and the complexity of network access policies.
I was talking about complexity correlation between using stateful or stateless. Maybe it does not make any difference on a frontal firewall with a few servers behind. But on a large network with inter-vlan filtering, it matters a lot. Believe me, this one is based on my operational experience.
Another advantage of stateful is that there is a first sanity check of the sessions on a specialized hardware rather than on a generic TCP/IP stack of a bloated server OS.Marketing aside, those 'sanity checks' take place in software, not in hardware; and they actually constitute a greatly broadened attack surface (look at the multiple vulnerability notices/patch notices for any commercial stateful firewall you can name, as well as for open-source stateful firewall packages).
I still trust more the network stack of a Linux/BSD/IOS dedicated box than the one of a Windows Server. And it means a crafted packet has to go through mixed devices.
For instance, the network stack of Windows is probably much more prone to bug/crash due to poor handling of crafted packets than a dedicated firewall (Checkpoint, Cisco, Fortinet...) may be.Sadly, this is also not borne out by experience. Quite the opposite, actually.
Well maybe. I have no certitude on this point, but if you have facts, it's welcome. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Sony: No firewall and no patches, (continued)
- Re: Sony: No firewall and no patches Craig Miskell (May 11)
- Re: Sony: No firewall and no patches Thor (Hammer of God) (May 12)
- Re: Sony: No firewall and no patches Cal Leeming (May 11)
- Re: Sony: No firewall and no patches Thor (Hammer of God) (May 12)
- Re: Sony: No firewall and no patches Peter Osterberg (May 11)
- Re: Sony: No firewall and no patches Pavel Kankovsky (May 15)
- Re: Sony: No firewall and no patches Bruno Cesar Moreira de Souza (May 12)
- Re: Sony: No firewall and no patches phocean (May 11)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 11)
- Re: Sony: No firewall and no patches phocean (May 11)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 11)
- Re: Sony: No firewall and no patches phocean (May 11)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 11)
- Re: Sony: No firewall and no patches phocean (May 11)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 11)