nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: I don't need no stinking firewall!

From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Mon, 11 Jan 2010 06:15:35 +0000

On Jan 11, 2010, at 12:56 PM, George Bonser wrote:


 One would probably have a load balancer of some sort in front of those machines.  That is the device that would be 
fielding any DoS.


Yes, and as you've noted previously, it should be protected via stateless ACLs in hardware capable of handling mpps, 
S/RTBH, flow-spec, IDMS, whatever.  And of course the load-balancer should also be fronted by a reverse-proxy cache 
farm, if the servers in question are Web servers.


I have a feeling you are talking about relatively small amounts of traffic.  


I believe that these comments were more along the lines of 'servers can better handle this that stateful firewalls', 
not ruling out the use of load-balancers, reverse-proxy caches, etc. as appropriate.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken
Previous By Date Next
Previous By Thread Next

Current thread: