nanog mailing list archives
Re: I don't need no stinking firewall!
From: Brian Keefer <chort () smtps net>
Date: Wed, 6 Jan 2010 13:12:24 -0800
On Jan 6, 2010, at 11:29 AM, Brian Johnson wrote:
If your point is given unlimited inbound bandwidth that a stateful firewall will fail (not work correctly), I can say that about any piece of equipment. And even if it does fail, does it matter if your connection is full of useless traffic?
It's a lot easier to fill up a state table than to fill up a pipe, which I believe was Roland's point. It's quite possible to flood the state table on a device with a fraction of the pipe's capacity, in which case a stateful device will fall over where a stateless device would not have. This type of attack will definitely degrade the service it's aimed at, and probably degrade other services sharing the same pipe, but won't _necessarily_ kill them as is the case when a stateful gateway falls over. Typical scenario is $badguys DDoS one of your webservers. If the gateway is stateless, your webservers grind to a crawl, but your DNS, e-mail, VOIP, etc probably still function to a degree. Contrast that with site-wide outage if your gateway was stateful and crashed/rebooted/refused to pass traffic due to having the state table filled. You're not going to be able to stop $sophisticated_badguy from enumerating your services no matter how fancy your gear is. Could you detect a distributed portscan that looks at 5000 proto/IP/port combos per day, across your IP space, each probe coming from a different IP? I really doubt it. If you have services listening, someone is going to find them. IMO you're better off making sure only the services you intend to provide are listening, and that those services are hardened appropriately for public exposure. This topic has probably run it's course; everyone has different opinions and takes away different lessons from their experience. I think it's valuable to challenge the common assumptions (everyone knows you need a stateful firewall!) now and then to make sure they actually make sense. -- bk
Current thread:
- Re: I don't need no stinking firewall!, (continued)
- Re: I don't need no stinking firewall! James Hess (Jan 05)
- Re: I don't need no stinking firewall! William Pitcock (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! Jared Mauch (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Brian Keefer (Jan 06)
- Re: I don't need no stinking firewall! David Hiers (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Brian Keefer (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Bruce Curtis (Jan 12)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 13)
- Re: I don't need no stinking firewall! Tim Durack (Jan 13)
- Re: I don't need no stinking firewall! Joel Jaeggli (Jan 13)
- Re: I don't need no stinking firewall! Randy Bush (Jan 14)
- RE: I don't need no stinking firewall! George Bonser (Jan 05)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
- RE: I don't need no stinking firewall! George Bonser (Jan 05)
- Re: I don't need no stinking firewall! Arie Vayner (Jan 08)