Re: D/DoS mitigation hardware/software needed.

["Dobbins, Roland" <rdobbins () arbor net>]

On Jan 5, 2010, at 9:17 AM, Tim Eberhard wrote:

>  I would argue that firewalls place is in fact directly infront of servers and load balancers to protect them.

The very idea of placing a stateful firewall in front of a Web/DNS/email/etc. server, in which *every single incoming 
packet is unsolicited, and therefore, leaves no state to be inspected in the first place*, is absurd.

There is simply no valid argument for doing so.  Hardening the OS/apps/services, combined with stateless ACLs in 
hardware which can handle mpps, is the way to enforce policy.

In fact, the idea is such a poor one that one of the major firewall vendors came out with a 'stateful inspection 
bypass' feature - the idea being that, you buy their 10gb/sec, $100K-plus stateful firewall, stick it in front of 
servers, and then . . . disable the stateful inspection, heh.

;>

None of the large, well-known Web properties on the Internet today - at least, the ones which stay up and running, heh 
- have stateful firewalls in front of them.  Including prominent vendors of said stateful firewall solutions.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken