nanog mailing list archives
RE: I don't need no stinking firewall!
From: "Brian Johnson" <bjohnson () drtel com>
Date: Wed, 6 Jan 2010 08:51:37 -0600
I will not argue the more complete statement about the architectural premise that statefull firewalls are being produced under. That would be fruitless and I would concede to Roland and his statements on that. It appears that the real argument is whether statefull inspection is useful, and whether the firewall causes other issues to the network design. If this is so, then I would say that it depends on the network and it's design as to whether a statefull firewall is useful. One could put ACLs in routers and switches, but when you break it down and turn off statefull inspection, that is what a firewall is. As always, you should always consider your network design before implementing any network appliance that will/may affect traffic. I don't think that discarding ideas like signature based analysis and DPI are wise. Depending on the network, the staff running the network, the users using the network, external exposure and many other metrics, I don't think that anyone should be making broad statements on equipment decisions. I'm glad that I can go to lists like NANOG with this type of question and not get the clue bat across the head. Like Roland, I've been doing this for over a decade as well, and I have seen some pretty strange things, even a statefull firewall in front of servers with IPS actually work. This thread is a tribute to different ideas and beliefs as well as experience on this topic. Please keep up the conversation and down the condescension and rhetoric. Thank you. - Brian
-----Original Message----- From: Dobbins, Roland [mailto:rdobbins () arbor net] Sent: Wednesday, January 06, 2010 7:52 AM To: NANOG list Subject: Re: I don't need no stinking firewall! On Jan 6, 2010, at 8:42 PM, Jared Mauch wrote:The reality is they just have not been attacked yet, and hence haveno experience in what to do about the problem... And they've been bombarded with misinformation for years by 'security' vendors, wildly unrealistic certification training courses, and the 'compliance' mafia; you're right, of course. ;>
-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, copying, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Thank you.
Current thread:
- Re: I don't need no stinking firewall!, (continued)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
- Re: I don't need no stinking firewall! Jonathan Lassoff (Jan 05)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
- RE: I don't need no stinking firewall! George Bonser (Jan 05)
- Re: I don't need no stinking firewall! James Hess (Jan 05)
- Re: I don't need no stinking firewall! William Pitcock (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! Jared Mauch (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Brian Keefer (Jan 06)
- Re: I don't need no stinking firewall! David Hiers (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Brian Keefer (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Bruce Curtis (Jan 12)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 13)
- Re: I don't need no stinking firewall! Tim Durack (Jan 13)
- Re: I don't need no stinking firewall! Joel Jaeggli (Jan 13)
- Re: I don't need no stinking firewall! Randy Bush (Jan 14)