nanog mailing list archives

Re: I don't need no stinking firewall!

From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Tue, 5 Jan 2010 20:29:01 +0000


On Jan 6, 2010, at 3:16 AM, Brian Johnson wrote:

 Given this information, and not prejudging any responses, exactly what is a
firewall for and when is statefull inspection useful?


In the most basic terms, a stateful firewall performs bidirectional classification of communications between nodes, and 
makes a pass/fail determination on each packet based on a) whether or not a bidirectional communications session is 
already open between the nodes and b) any policy rules configured on the firewall as to what ports/protocols should be 
allowed between said nodes.

Stateful firewalls make good sense in front of machines which are primarily clients; the stateful inspection part keeps 
unsolicited packets away from the clients.

Stateful firewalls make absolutely no sense in front of servers, given that by definition, every packet coming into the 
server is unsolicited (some protocols like ftp work a bit differently in that there're multiple 
bidirectional/omnidirectional communications sessions, but the key is that the initial connection is always 
unsolicited).

Putting firewalls in front of servers is a Really Bad Idea - besides the fact that the stateful inspection premise 
doesn't apply (see above), rendering the stateful firewall superfluous, even the biggest, baddest firewalls out there 
can be easily taken down via state-table exhaustion; an attacker can craft enough programmatically-generated, 
well-formed traffic which conforms to the firewall policies to 'crowd out' legitimate traffic, thus DoSing the server.  
Addtionally, the firewall can be made to collapse far quicker than the server itself would collapse, as the overhead on 
the state-tracking is less than what the server itself could handle on its own.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken

Current thread:

I don't need no stinking firewall! Brian Johnson (Jan 05)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
  - Re: I don't need no stinking firewall! Brielle Bruns (Jan 05)
    - Re: I don't need no stinking firewall! Simon Lockhart (Jan 05)
    - Re: I don't need no stinking firewall! Brielle Bruns (Jan 05)
    - Re: I don't need no stinking firewall! Jared Mauch (Jan 05)
    - Re: I don't need no stinking firewall! Kevin Oberman (Jan 05)
    - Re: I don't need no stinking firewall! Tony Finch (Jan 06)
    - Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
  - Re: I don't need no stinking firewall! Mark Foster (Jan 05)
    - Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
  - Re: I don't need no stinking firewall! Robert Brockway (Jan 05)

(Thread continues...)