Re: Sony: No firewall and no patches

["Dobbins, Roland" <rdobbins () arbor net>]

On May 10, 2011, at 6:03 AM, Thor (Hammer of God) wrote:

> Maybe they should call that "You don't have to patch" genius! 


Stateful firewalls have no place in front of servers, where every incoming request is unsolicited, and therefore there 
is no state to inspect in the first place.  Stateful firewalls in front of servers merely serve as DDoS chokepoints due 
to the large amount of unnecessary state they instantiate.

Instead, network access policies for servers should be implemented utilizing stateless ACLs on hardware-based routers 
and/or layer-3 switches capable of handling mpps of traffic.

Keeping OSes and apps/services up-to-date with patches and configured securely is extremely important, of course; and 
network access policies should be implemented per the above.  But blindly sticking stateful firewalls in places where 
there's no state to inspect and where they actually do more harm than good in terms of actual security posture isn't a 
solution.  Where stateful firewalls in front of Web servers are incorrectly mandated by various regulatory frameworks, 
making use of mod_security or its equivalent on the Web servers themselves ensures compliance without creating a DDoS 
chokepoint.

See <http://www.nanog.org/meetings/nanog48/presentations/Monday/Kaeo_FilterTrend_ISPSec_N48.pdf> and 
<http://www.eweek.com/index2.php?option=content&task=view&id=66503&pop=1&hide_ads=1&page=0&hide_js=1&catid=45> for more 
details on this particular sub-topic.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

                The basis of optimism is sheer terror.

                          -- Oscar Wilde

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/