Re: Requirements for IPv6 Firewalls

[Łukasz Bromirski <lukasz () bromirski net>]

On 19 Apr 2014, at 20:08, George William Herbert <george.herbert () gmail com> wrote:

> On Apr 18, 2014, at 9:10 PM, "Dobbins, Roland" <rdobbins () arbor net> wrote:
>
> > You can 'call' it all you like - but people who actually want to keep their servers up and running don't put 
> > stateful firewalls in front of them,
>
> I don't know where you find ideas like this.

From real world.

> There are stateful firewalls in the security packages in front of all the internet facing servers in all the major 
> service providers I've worked at.  Not *just* stateful firewalls, but they're in there.

There’s no sense in putting stateful firewall in front of DNS server,
unless the DNS server is underperforming, and then it should be
exchanged and not protected by stateful firewall.

You can try to protect mail/WWW servers with stateful firewalls, but
it often achieves nothing but makes the firewalls weakest link in
the setup. And tuning it to perform reasonably well in normal and
peak traffic is usually not achievable.

In case of DDoS attack, the stateful firewall goes out first. I’ve
seen them burn too. To protect high-performance services, you do
stateless filtering + NetFlow based QoS policies, or shunt to
dedicated DDoS filtering boxes.

Adding state where it’s not needed, is sign of bad design. And just
because a lot of people do that, doesn’t make it any better.

-- 
"There's no sense in being precise when |               Łukasz Bromirski
 you don't know what you're talking     |      jid:lbromirski () jabber org
 about."               John von Neumann |    http://lukasz.bromirski.net

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail