nanog mailing list archives
Re: I don't need no stinking firewall!
From: Arie Vayner <arievayner () gmail com>
Date: Fri, 8 Jan 2010 10:21:34 +0200
What is nice about load balancers is that if you design your solution correctly, you can scale them in a very nice way. Things like direct server return, where only the requests hit the load balancer, but the replies (which are usually larger) just route back directly to the client can free up resources on the load balancer to handle more complex policies. This also reduces the imposed symmetry for routing that firewalls bring to the table. Further on, if you want to really protect against a real DDoS you would most likely would have to look at a really distributed solution, where the different geographical load balancing solutions come into play. Arie On Wed, Jan 6, 2010 at 7:03 AM, George Bonser <gbonser () seven com> wrote:
-----Original Message----- From: Dobbins, Roland [mailto:rdobbins () arbor net] Sent: Tuesday, January 05, 2010 8:53 PM To: NANOG list Subject: Re: I don't need no stinking firewall! On Jan 6, 2010, at 11:43 AM, George Bonser wrote:Yes, you have to take some of the things that were done in one spotand dothem in different locations now, but the results are an amazingincreasein service capacity per dollar spent on infrastructure.I strongly agree with the majority of your comments, with the caveat that I've seen many, many load-balancers fall over due to state- exhaustion, too; load-balancers need northbound protection from DDoS (S/RTBH, flow-spec, IDMS, et. al.), as well.Yes, I have seen load balancers fall over, too. I have some interesting stories of how those problems have been solved. Sometimes it relies on using a feature of one vendor to leverage a feature of another vendor. But I generally agree with you. There is a lot that can be done ahead of the load balancers.
Current thread:
- Re: I don't need no stinking firewall!, (continued)
- Re: I don't need no stinking firewall! Brian Keefer (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Bruce Curtis (Jan 12)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 13)
- Re: I don't need no stinking firewall! Tim Durack (Jan 13)
- Re: I don't need no stinking firewall! Joel Jaeggli (Jan 13)
- Re: I don't need no stinking firewall! Randy Bush (Jan 14)
- RE: I don't need no stinking firewall! George Bonser (Jan 05)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
- RE: I don't need no stinking firewall! George Bonser (Jan 05)
- Re: I don't need no stinking firewall! Arie Vayner (Jan 08)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 08)
- Re: I don't need no stinking firewall! bill from home (Jan 08)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 08)
- Re: I don't need no stinking firewall! bill from home (Jan 08)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 08)
- Re: I don't need no stinking firewall! Joel Jaeggli (Jan 08)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 08)
- Re: I don't need no stinking firewall! Joel Jaeggli (Jan 08)
- Re: I don't need no stinking firewall! harbor235 (Jan 09)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 09)