nanog mailing list archives

Re: Requirements for IPv6 Firewalls


From: Christopher Morrow <morrowc.lists () gmail com>
Date: Tue, 22 Apr 2014 15:18:21 -0400

On Tue, Apr 22, 2014 at 2:55 PM, Brian Johnson <bjohnson () drtel com> wrote:
Eric,

If you read what he posted and really believe that is what he is saying, you need to re-think your career decision. 
It is obvious that he is not saying that.


Roland's saying basically:
  1) if you deploy something on 'the internet' you should secure that something
  2) the securing of that 'thing' should NOT be be placing a stateful
device between your users and the 'thing'.

In a simple case of:
  "Put a web server on the internet"

Roland's advice breaks down to:
  1) deploy server
  2) put acl on upstream router like:
      permit tcp any any eq 80
      deny ip any any
  3) profit

The router + acl will process line-rate traffic without care.

-chris

I hate it when threads breakdown to this type of tripe and ridiculous restatement of untruths.

- Brian

-----Original Message-----
From: Eric Wieling [mailto:EWieling () nyigc com]
Sent: Tuesday, April 22, 2014 1:16 PM
To: Dobbins, Roland; nanog () nanog org
Subject: RE: Requirements for IPv6 Firewalls

It seems to me you are saying we should get rid of firewalls and rely on
applications network security.

This is so utterly idiotic I must be misunderstanding something.    There are a
few things we can count on in life, death, taxes, and application developers
leaving giant security holes in their applications.

-----Original Message-----
From: Dobbins, Roland [mailto:rdobbins () arbor net]
Sent: Saturday, April 19, 2014 12:10 AM
To: nanog () nanog org
Subject: Re: Requirements for IPv6 Firewalls

You can 'call' it all you like - but people who actually want to keep their
servers up and running don't put stateful firewalls in front of them, because
it's very easy to knock them over due to state exhaustion.  In fact, it's far
easier to knock them over than to knock over properly-tuned naked hosts.

Also, you might want to search the NANOG email archive on this topic.
There's lots of previous discussion, which boils down to the fact that serious
organizations running serious applications/services don't put stateful
firewalls (or 'IPS', or NATs, et. al.) in front of their servers.

The only way to secure hosts/applications/service against compromise is via
those hosts/applications/services themselves.  Inserting stateful
middleboxes doesn't actually accomplish anything to enhance confidentiality
and integrity, actually increases the attack surface due to middlebox exploits
(read the numerous security notices for various commercial and open-source
stateful firewalls for compromise exploits), and has a negative impact on
availability.






Current thread: