nanog mailing list archives
Re: D/DoS mitigation hardware/software needed.
From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Tue, 5 Jan 2010 02:24:00 +0000
On Jan 5, 2010, at 9:17 AM, Tim Eberhard wrote:
I would argue that firewalls place is in fact directly infront of servers and load balancers to protect them.
The very idea of placing a stateful firewall in front of a Web/DNS/email/etc. server, in which *every single incoming packet is unsolicited, and therefore, leaves no state to be inspected in the first place*, is absurd. There is simply no valid argument for doing so. Hardening the OS/apps/services, combined with stateless ACLs in hardware which can handle mpps, is the way to enforce policy. In fact, the idea is such a poor one that one of the major firewall vendors came out with a 'stateful inspection bypass' feature - the idea being that, you buy their 10gb/sec, $100K-plus stateful firewall, stick it in front of servers, and then . . . disable the stateful inspection, heh. ;> None of the large, well-known Web properties on the Internet today - at least, the ones which stay up and running, heh - have stateful firewalls in front of them. Including prominent vendors of said stateful firewall solutions. ----------------------------------------------------------------------- Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
Current thread:
- D/DoS mitigation hardware/software needed. Rick Ernst (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Jeffrey Lyon (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Tim Eberhard (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Adrian Chadd (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Steve Bertrand (Jan 05)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Ćukasz Bromirski (Jan 09)
- RE: D/DoS mitigation hardware/software needed. Stefan Fouant (Jan 09)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 09)
- RE: D/DoS mitigation hardware/software needed. Stefan Fouant (Jan 09)
- Re: D/DoS mitigation hardware/software needed. Jeffrey Lyon (Jan 09)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 09)
- Re: D/DoS mitigation hardware/software needed. Jeffrey Lyon (Jan 04)
- Re: D/DoS mitigation hardware/software needed. jim deleskie (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Christopher Morrow (Jan 04)