nanog mailing list archives
Re: Requirements for IPv6 Firewalls
From: Łukasz Bromirski <lukasz () bromirski net>
Date: Sat, 19 Apr 2014 20:44:14 +0200
On 19 Apr 2014, at 20:08, George William Herbert <george.herbert () gmail com> wrote:
On Apr 18, 2014, at 9:10 PM, "Dobbins, Roland" <rdobbins () arbor net> wrote:You can 'call' it all you like - but people who actually want to keep their servers up and running don't put stateful firewalls in front of them,I don't know where you find ideas like this.
From real world.
There are stateful firewalls in the security packages in front of all the internet facing servers in all the major service providers I've worked at. Not *just* stateful firewalls, but they're in there.
There’s no sense in putting stateful firewall in front of DNS server, unless the DNS server is underperforming, and then it should be exchanged and not protected by stateful firewall. You can try to protect mail/WWW servers with stateful firewalls, but it often achieves nothing but makes the firewalls weakest link in the setup. And tuning it to perform reasonably well in normal and peak traffic is usually not achievable. In case of DDoS attack, the stateful firewall goes out first. I’ve seen them burn too. To protect high-performance services, you do stateless filtering + NetFlow based QoS policies, or shunt to dedicated DDoS filtering boxes. Adding state where it’s not needed, is sign of bad design. And just because a lot of people do that, doesn’t make it any better. -- "There's no sense in being precise when | Łukasz Bromirski you don't know what you're talking | jid:lbromirski () jabber org about." John von Neumann | http://lukasz.bromirski.net
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
Current thread:
- Re: Requirements for IPv6 Firewalls, (continued)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls Simon Perreault (Apr 18)
- Re: Requirements for IPv6 Firewalls Jim Clausing (Apr 18)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 18)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 18)
- Re: Requirements for IPv6 Firewalls Jeff Kell (Apr 18)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 18)
- Re: Requirements for IPv6 Firewalls Jeff Kell (Apr 18)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 18)
- Re: Requirements for IPv6 Firewalls George William Herbert (Apr 19)
- Re: Requirements for IPv6 Firewalls Łukasz Bromirski (Apr 19)
- Re: Requirements for IPv6 Firewalls Jimmy Hess (Apr 19)
- Re: Requirements for IPv6 Firewalls George William Herbert (Apr 19)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 19)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 19)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
- RE: Requirements for IPv6 Firewalls Eric Wieling (Apr 22)
- RE: Requirements for IPv6 Firewalls Brian Johnson (Apr 22)
- Re: Requirements for IPv6 Firewalls Christopher Morrow (Apr 22)
- Message not available
- Re: Requirements for IPv6 Firewalls Christopher Morrow (Apr 22)
- RE: Requirements for IPv6 Firewalls Matthew Huff (Apr 22)