![nanog logo](/images/nanog-logo.png)
nanog mailing list archives
Re: Requirements for IPv6 Firewalls
From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Sun, 20 Apr 2014 14:04:28 +0000
On Apr 20, 2014, at 8:52 PM, Seamus Ryan <s.ryan () uber com au> wrote:
Similarly if most of the time I just need to protect my relatively simple network by implementing a few separate zones I will get a firewall, im not going to deploy expensive stateless devices that can push a billion pps everywhere and send flow stats to expensive DDoS mitigation hardware *cough* arbor *cough* just so I can protect against an attack that many only happen a few times a year.
I'm talking about stateless ACLs on hardware-based routers and switches for enforcing network access policies - nothing to do with Arbor. Arbor doesn't make routers or switches. Stateful firewalls make servers far more vulnerable to DDoS (and to compromise, for that matter; they broaden the attack surface amazingly) than they would be without deploying stateful firewalls. Vendors of commercial DDoS mitigation solutions [full disclosure: I work for a vendor of such solutions] who wish to drum up business should be *encouraging* organizations to deploy stateful firewalls, not discouraging them from doing so. Anyone who knows me knows that I do *not* violate NANOG rules (or the rules of any other community list) by pushing commercial solutions. What I advocate is for folks to avoid spending extra money and time and effort in order to negatively impact their security posture, and instead utilize their existing investments in network infrastructure devices to enforce network access policies via stateless ACLs, as well as to deploy reaction/mitigation tools such as S/RTBH and flowspec. ----------------------------------------------------------------------- Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
Current thread:
- Re: Requirements for IPv6 Firewalls, (continued)
- Re: Requirements for IPv6 Firewalls Christopher Morrow (Apr 22)
- Message not available
- Re: Requirements for IPv6 Firewalls Christopher Morrow (Apr 22)
- RE: Requirements for IPv6 Firewalls Matthew Huff (Apr 22)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
- Re: Requirements for IPv6 Firewalls George Herbert (Apr 22)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
- Re: Requirements for IPv6 Firewalls Lukasz Bromirski (Apr 22)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
- Re: Requirements for IPv6 Firewalls Peter Kristolaitis (Apr 18)
- RE: Requirements for IPv6 Firewalls Seamus Ryan (Apr 20)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
- RE: Requirements for IPv6 Firewalls Seamus Ryan (Apr 20)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
- Re: Requirements for IPv6 Firewalls Matt Palmer (Apr 18)
- Re: Requirements for IPv6 Firewalls Lee Howard (Apr 21)
- Re: Requirements for IPv6 Firewalls Valdis . Kletnieks (Apr 21)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 19)
- Re: Requirements for IPv6 Firewalls joel jaeggli (Apr 19)
- Re: Requirements for IPv6 Firewalls Gary Buhrmaster (Apr 19)
- Re: Requirements for IPv6 Firewalls TheIpv6guy . (Apr 18)
- Re: Requirements for IPv6 Firewalls Florian Weimer (Apr 19)