nanog mailing list archives
Re: I don't need no stinking firewall!
From: Brielle Bruns <bruns () 2mbit com>
Date: Tue, 05 Jan 2010 13:58:52 -0700
On 1/5/10 1:29 PM, Dobbins, Roland wrote:
Putting firewalls in front of servers is a Really Bad Idea - besides the fact that the stateful inspection premise doesn't apply (see above), rendering the stateful firewall superfluous, even the biggest, baddest firewalls out there can be easily taken down via state-table exhaustion; an attacker can craft enough programmatically-generated, well-formed traffic which conforms to the firewall policies to 'crowd out' legitimate traffic, thus DoSing the server. Addtionally, the firewall can be made to collapse far quicker than the server itself would collapse, as the overhead on the state-tracking is less than what the server itself could handle on its own.
The trick is to not track ports/IPs that do not need it. On my combo firewalls (that handle both NATing and serving websites, dns, etc) for example, I'll do a NOTRACK on the LAN side to prevent connections to the firewall itself from taking up valuable table space.
It's all how you configure and tweak the firewall. Recommending people run servers without a firewall is bad advice - do you really want your Win2k3 server exposed, SMB, RPC, and all to the world?
-- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
Current thread:
- I don't need no stinking firewall! Brian Johnson (Jan 05)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
- Re: I don't need no stinking firewall! Brielle Bruns (Jan 05)
- Re: I don't need no stinking firewall! Simon Lockhart (Jan 05)
- Re: I don't need no stinking firewall! Brielle Bruns (Jan 05)
- Re: I don't need no stinking firewall! Jared Mauch (Jan 05)
- Re: I don't need no stinking firewall! Kevin Oberman (Jan 05)
- Re: I don't need no stinking firewall! Tony Finch (Jan 06)
- Re: I don't need no stinking firewall! Brielle Bruns (Jan 05)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)