nanog mailing list archives
Re: I don't need no stinking firewall!
From: Brian Keefer <chort () smtps net>
Date: Wed, 6 Jan 2010 09:38:01 -0800
On Jan 6, 2010, at 6:51 AM, Brian Johnson wrote:
Like Roland, I've been doing this for over a decade as well, and I have seen some pretty strange things, even a statefull firewall in front of servers with IPS actually work.
What do you mean by "work"? If you mean "all three pieces ran for years without being seriously attacked", then that's really not the same thing as "continued to perform assigned duties effectively in the face of a determined DDoS". I'd venture to say the vast majority of network operators, including myself, have never faced a DoS worse than a miscreant kid with a cable modem. The few customers I've talked to who have been DDoS'd have all said the firewall died first. It's pretty simple. Of the devices on your network that have to keep state, a firewall has to maintain far more of them, since it's the aggregate of many down-stream hosts. The resources to maintain state are finite. At some point, those finite resources will be exceeded, and that will happen to a device holding the aggregate before any other device succumbs to the same problem. If the firewall goes down, that DoS's everything behind it. Is that really better than having only a portion of the down-stream hosts unavailable? IMO firewalls have been a crutch for far too long. They're an excuse for not having tight host-based security and (more importantly) good patch-management. There really isn't a network perimeter any more any way. If any of your hosts gets infected, they're going to attempt to infect their neighbors. Worms have been doing this since they were invented and a network firewall offers very little protection against it. Put another way: Is it clear that spending money on fancy network firewalls and IPS is more effective at mitigating risk than investing the same money in patch-management and host-hardening? I don't think so. I'd also like to add a +1 to the statement "firewalls break things in subtle and hard-to-debug ways". The longest support calls are always those trying to figure out how the customer's firewall is breaking things, and then how to prove this to their $management so they'll approve disabling the offending "feature". Speaking of which, there are about 700MB of PCAPs that I'm supposed to be looking at right now... -- bk
Current thread:
- Re: I don't need no stinking firewall!, (continued)
- Re: I don't need no stinking firewall! Jonathan Lassoff (Jan 05)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
- RE: I don't need no stinking firewall! George Bonser (Jan 05)
- Re: I don't need no stinking firewall! James Hess (Jan 05)
- Re: I don't need no stinking firewall! William Pitcock (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! Jared Mauch (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Brian Keefer (Jan 06)
- Re: I don't need no stinking firewall! David Hiers (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Brian Keefer (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Bruce Curtis (Jan 12)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 13)
- Re: I don't need no stinking firewall! Tim Durack (Jan 13)
- Re: I don't need no stinking firewall! Joel Jaeggli (Jan 13)
- Re: I don't need no stinking firewall! Randy Bush (Jan 14)
- RE: I don't need no stinking firewall! George Bonser (Jan 05)