Re: Requirements for IPv6 Firewalls

[Doug Barton <dougb () dougbarton us>]

On 04/22/2014 01:49 PM, George Herbert wrote:
> As long as the various stateful firewalls and IDS systems offer hostile
> action detection and blocking capabilities that raw webservers lack,
> there are certainly counterarguments to the "port filter only" approach
> being advocated here.

Right, but now you're talking about something other than just a firewall.

> Focusing only on DDOS prevention from one narrow range of attack vectors
> targeting the firewalls themselves is narrowminded.  The security threat
> envelope is pretty wide.  Vulnerabilities of similar nature exist on the
> webservers themselves, and on load balancer devices you will likely need
> anyways.

Again, sure, but removing a needless firewall from the equation is one 
less thing to worry about.

> Any number of enterprises have chosen that if a DDOS or other advanced
> attack is going to be successful, to let that be successful in bringing
> down a firewall on the external shell of the security envelope rather
> than having penetrated to the servers level.

And if they are making that choice proactively who am I to argue? I 
disagree, but their network, their rules.

What usually happens though is that enterprises believe that the 
firewall will protect them, without understanding that it can actually 
create a SPOF instead.

> Smart design can also handle transparently failing over should such a
> vendor-specific attack succeed.  The idea that anyone doing real, big
> complex networks would or has to accept any SPOF is ludicrous.  The
> question is, how important is avoiding SPOFs, and how committed you are.
>   If the answer is "absolutely must, and we have enough budget to do so"
> then it's entirely doable.

Of course.

Doug