Re: Checkpoint IPS

[BPNoC Group <bpnoc.lists () gmail com>]

On Sun, Feb 8, 2015 at 2:05 AM, Ca By <cb.list6 () gmail com> wrote:

> On Friday, February 6, 2015, Roland Dobbins <rdobbins () arbor net> wrote:
>
> > On 6 Feb 2015, at 23:23, Darden, Patrick wrote:
> >
> >  And when  your opinion is an acknowledged universal constant, I will tip
> > > my hat to you.
> >
> > It's been a constant for the last couple of decades - I can't count the
> > number of times I've been involved in mitigating penny-ante DDoS attacks
> > which succeeded *solely* due to state exhaustion on stateful firewalls,
> > 'IPS' devices, and load-balancers.
> >
> > I've seen a 20gb/sec commercial stateful firewall taken down by a 3mb/sec
> > spoofed SYN-flood.
> >
> > I've seen a 10gb/sec commercial load-balancer taken down by 60 second at
> > 6kpps - yes, 6kpps - of HOIC.
> >
> > And so on, and so forth.
> >
> > 'Dismiss' it all you like, but it's a real issue, as others on this list
> > know from bitter experience.
>
>
>
> Hi,
>
> Roland is right.  99% of network based security products are pure snake
> oil. Patch you servers, know your base line, statelessly filter unwanted
> traffic, rtbh as needed, sleep well at night.
>
> Bye.

Yeah, but Mr Tracanelli has a wider point. A firewall or IDS has its place
near the core, due to exhaustion not taking core routing down and taking
your availability away, while still adding security to it. While stateful
firewall / IPS / proxy belongs somewhere else deeper in the network, closer
to business logic than core/border.
Mr Dobbins' slides/presentation gives an idea that a proxy (waf, whatever)
fits sitting unprotected among routers and application servers, while its
also stateful and fragile enough to deserve previous protection.


> > -----------------------------------
> > Roland Dobbins <rdobbins () arbor net>