nanog mailing list archives
Re: Requirements for IPv6 Firewalls
From: Doug Barton <dougb () dougbarton us>
Date: Tue, 22 Apr 2014 13:02:43 -0700
On 04/22/2014 12:18 PM, Christopher Morrow wrote:
Roland's saying basically: 1) if you deploy something on 'the internet' you should secure that something 2) the securing of that 'thing' should NOT be be placing a stateful device between your users and the 'thing'. In a simple case of: "Put a web server on the internet" Roland's advice breaks down to: 1) deploy server 2) put acl on upstream router like: permit tcp any any eq 80 deny ip any any 3) profit The router + acl will process line-rate traffic without care.
A key part of this overall strategy is also "Harden the system to run only those services it needs to do its job." And the above implies that things like ssh (i.e., management services) should be ACL'ed to only allow access from inside .... etc.
But otherwise, yes; and yes, this strategy is very successful. It removes the stateful firewall as the SPOF.
Doug
Current thread:
- Re: Requirements for IPv6 Firewalls, (continued)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
- RE: Requirements for IPv6 Firewalls Eric Wieling (Apr 22)
- RE: Requirements for IPv6 Firewalls Brian Johnson (Apr 22)
- Re: Requirements for IPv6 Firewalls Christopher Morrow (Apr 22)
- Message not available
- Re: Requirements for IPv6 Firewalls Christopher Morrow (Apr 22)
- RE: Requirements for IPv6 Firewalls Matthew Huff (Apr 22)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
- Re: Requirements for IPv6 Firewalls George Herbert (Apr 22)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
- Re: Requirements for IPv6 Firewalls Lukasz Bromirski (Apr 22)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
- Re: Requirements for IPv6 Firewalls Peter Kristolaitis (Apr 18)
- RE: Requirements for IPv6 Firewalls Seamus Ryan (Apr 20)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
- RE: Requirements for IPv6 Firewalls Seamus Ryan (Apr 20)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
- Re: Requirements for IPv6 Firewalls Matt Palmer (Apr 18)
- Re: Requirements for IPv6 Firewalls Lee Howard (Apr 21)
- Re: Requirements for IPv6 Firewalls Valdis . Kletnieks (Apr 21)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 19)
- Re: Requirements for IPv6 Firewalls joel jaeggli (Apr 19)