Full Disclosure mailing list archives
Re: Sony: No firewall and no patches
From: phocean <0x90 () phocean net>
Date: Wed, 11 May 2011 17:03:57 +0200
Thanks this useful sum-up for the discussion. I have a few comments though: - DDoS : anyway, a firewall isn't more susceptible to DoS than the server it protects. If you look at the hardware performance of modern firewalls, if an attacker has the ability to DoS it, then only a considerable server farm that very few companies can afford will be able to sustain it. So I think this can't be counted as a negative point, even if in theory it has less performance than stateless. - SPoF : there are clusters (active/active or active/passive) for firewalls as well as for server. - stateless scales badly on large networks, because it requires much more complex and lengthy rules if you are serious with security. Another advantage of stateful is that there is a first sanity check of the sessions on a specialized hardware rather than on a generic TCP/IP stack of a bloated server OS. For instance, the network stack of Windows is probably much more prone to bug/crash due to poor handling of crafted packets than a dedicated firewall (Checkpoint, Cisco, Fortinet...) may be. On Wed, 11 May 2011 09:22:33 -0500, Michael Krymson wrote:
I can't speak for everyone, but I certainly find this discussion far more interesting and useful to security than quite a few others on here. So feel free to keep it public. I'm not about to wade in too deeply, but I thought I'd summarize and add a few notes. ---------------------------------------------------------- STATEFUL (session-based filter) Pros - can provide other filtering services during inspection (depends on device feature set) - won't have to constantly fight battles (against admins, vendors, clients, auditors, managers, outsiders) to explain why you don't have a "firewall" - handles ephemeral ports, dynamic connections, and matches returning traffic well Cons - more DDoS susceptible - another piece of hardware so another point of failure - won't add much when you're already accepting * into IP x on port n ---------------------------------------------------------- ACLs (packet-based filter) Pros - with pure ACLs, will always be faster - as such it can scale with traffic better - excellent when you're just blanket stopping all traffic except * to x on port n Cons - poor filter for ephermeral port needs, or dynamic connections - susceptible to protocol anamolies used in attacks (includes covert channels)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Sony: No firewall and no patches, (continued)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 11)
- Re: Sony: No firewall and no patches phocean (May 11)
- Re: Sony: No firewall and no patches Craig Miskell (May 11)
- Re: Sony: No firewall and no patches Thor (Hammer of God) (May 12)
- Re: Sony: No firewall and no patches Cal Leeming (May 11)
- Re: Sony: No firewall and no patches Thor (Hammer of God) (May 12)
- Re: Sony: No firewall and no patches Peter Osterberg (May 11)
- Re: Sony: No firewall and no patches Pavel Kankovsky (May 15)
- Re: Sony: No firewall and no patches Bruno Cesar Moreira de Souza (May 12)
- Re: Sony: No firewall and no patches phocean (May 11)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 11)
- Re: Sony: No firewall and no patches phocean (May 11)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 11)
- Re: Sony: No firewall and no patches phocean (May 11)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 11)
- Re: Sony: No firewall and no patches phocean (May 11)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 11)