Re: Requirements for IPv6 Firewalls

["Dobbins, Roland" <rdobbins () arbor net>]

On Apr 20, 2014, at 8:52 PM, Seamus Ryan <s.ryan () uber com au> wrote:

> Similarly if most of the time I just need to protect my relatively simple network by implementing a few separate 
> zones I will get a firewall, im not going to deploy expensive stateless devices that can push a billion pps 
> everywhere and send flow stats to expensive DDoS mitigation hardware *cough* arbor *cough* just so I can protect 
> against an attack that many only happen a few times a year.

I'm talking about stateless ACLs on hardware-based routers and switches for enforcing network access policies - nothing 
to do with Arbor.  Arbor doesn't make routers or switches.

Stateful firewalls make servers far more vulnerable to DDoS (and to compromise, for that matter; they broaden the 
attack surface amazingly) than they would be without deploying stateful firewalls.  Vendors of commercial DDoS 
mitigation solutions [full disclosure:  I work for a vendor of such solutions] who wish to drum up business should be 
*encouraging* organizations to deploy stateful firewalls, not discouraging them from doing so.  

Anyone who knows me knows that I do *not* violate NANOG rules (or the rules of any other community list) by pushing 
commercial solutions.  What I advocate is for folks to avoid spending extra money and time and effort in order to 
negatively impact their security posture, and instead utilize their existing investments in network infrastructure 
devices to enforce network access policies via stateless ACLs, as well as to deploy reaction/mitigation tools such as 
S/RTBH and flowspec.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

          Luck is the residue of opportunity and design.

                       -- John Milton